0 


Volume  38  of  111 

(Accused  Copy) 


_ VERBATIM _ i 

RECORD  OF  TRIAL’ 

(and  accompanying  papers) 

of 


MANNING,  Bradley  E. _ 

(Name:  Last,  First,  Middle  Initial) 
Headquarters  and 
Headquarters  Company, 

United  States  Army  Garrison 

(Unit/Command  Name) 


(Social  Security  Number) 

U.S.  Army 


(Branch  of  Service) 

By 


PFC/E-3 

(Rank) 


Fort  Myer,  VA  22211 
(Station  or  Ship) 


GENERAL  COURT-MARTIAL 


Convened  by  _ Commander _ 

(Title  of  Convening  Authority) 

UNITED  STATES  ARMY  MILITARY  DISTRICT  OF  WASHINGTON 
(Unit/Command  of  Convening  Authority) 

T ried  at 

Fort  Meade,  MD  on  _ see  below 

(Place  or  Places  of  Trial)  (Date  or  Dates  of  Trial) 


Date  or  Dates  of  Trial: 

23  February  2012,  15-16  March  2012,  24-26  April  2012,  6-8  June  2012,  25  June  2012, 

16-19  July  2012,  28-30  August  2012,  2  October  2012,  12  October  2012,  17-18  October  2012, 

7- 8  November  2012,  27  November  -  2  December  2012,  5-7  December  2012,  10-11  December  2012, 

8- 9  January  2013,  16  January  2013,  26  February  -  1  March  2013,  8  March  2013, 

10  April  2013,  7-8  May  2013,  21  May  2013,  3-5  June  2013,  10-12  June  2013,  17-18  June  2013, 
25-28  June  2013,  1-2  July  2013,  8-10  July  2013,  15  July  2013,  18-19  July  2013, 

25-26  July  2013,  28  July  -  2  August  2013,  5-9  August  2013,  12-14  August  2013, 

16  August  2013,  and  19-21  August  2013. 


1  Insert  "verbatim  "  or  "summarized"  as  appropriate.  (This  form  will  be  used  by  the  Army  and  Navy  for  verbatim  records  of  trial  only.) 

2  See  inside  back  cover  for  instructions  as  to  preparation  and  arrangement. 


DD  FORM  490,  MAY  2000 


PREVIOUS  EDITION  IS  OBSOLETE. 


Front  Cover 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


0 


MJ:  Wait  a  minute.  Now  he's  interpreting  the  logs.  You  have 

foundation  to  lay  with  respect  to  - 

Q.  What  is  the  search  reflected  in  the  log? 

TC [MAJ  FEIN]:  Ma'am,  may  I  have  a  moment? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  trial  counsel  consulted  with  the 
assistant  trial  counsel.] 

ATC [CPT  von  ELTEN] :  I'm  done  laying  a  foundation. 

MJ:  Go  ahead  with  the  voir  dire  the  witness  with  respect  to 

foundation. 

VOIR  DIRE  EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Good  morning.  Agent  Mander. 

A.  Good  morning. 

Q.  Agent  Mander,  what  experience  do  you  have  with  Intelink? 

A.  As  a  user,  I've  used  Intelink  to  conduct  various  searches. 

Q.  Do  you  know  how  Intelink  was  programmed?  Do  you  know  how 

it  operates? 

A.  Can  you  be  a  little  more  specific? 

Q.  Do  you  know  how  Intelink  goes  about  creating  those  logs? 

A.  I  do  not  know  the  specifics  about  that. 

Q.  Do  you  know  where  Intelink  stores  its  data? 

A.  I  believe  in  the  local  area  here  in  Maryland. 
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Q.  Do  you  have  I  guess  —  what  sort  of  courses  have  you  taken 
on  computer  forensics? 

A.  I've  taken  at  least  three  courses,  one  offered  by  Guidance 
Software  specific  to  the  program  that  we  use,  it's  called  EnCase. 

I've  also  taken  two  courses  at  the  Defense  Cyber  Investigations 
Training  Academy  involving  some  of  those  same  applications  as  well  as 
other  applications. 

Q.  And  --  I'm  sorry. 

A.  I've  also  taken  a  large  data  set  acquisition  course  that 
involves  the  acquisition  of  large  amounts  of  data. 

Q.  Could  you  be  I  guess  maybe  offer  a  little  more  insight  into 
what  you  learned  in  the  Data  Set  Acquisition  Course? 

A.  Generally  speaking,  when  we  conduct  investigations  there 
are  times  where  we  will  need  to  get  information  from  say  a  server. 
Generally  a  server  is  a  type  of  computer  that  will  have  large  amounts 
of  information  on  it  such  as  log  files  as  well  as  storage.  And 
basically  the  course  taught  the  students  how  to  obtain  that 
information  and  a  little  bit  about  how  to  interpret  it. 

Q.  How  long  was  the  Data  Set  Acquisition  Course? 

A.  I'd  have  to  go  back  and  look  at  my  resume.  I  believe  it 
was  40  hours. 

Q.  40  hours.  And  how  much  of  it  was  focused  on  obtaining  data 
from  a  large  data  set? 
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A.  I  would  have  to  go  back  and  look  at  the  course,  what  do 
they  call  that,  the  one  that  lays  out  —  it's  a  document  that  usually 
lays  out  how  many  hours  are  spent  on  which  thing?  I  don't  remember. 

Q.  Like  a  syllabus? 

A.  Yeah,  syllabus.  There  you  go. 

q.  Do  you  recall  if  the  bulk  of  that  course  was  on  how  to 
actually  obtain  the  data? 

A.  Again,  I  would  have  to  go  back  and  review  the  syllabus. 

Q.  When  did  you  take  that  course? 

A.  I  believe  that  was  taken  within  the  last  2  years. 

Q.  You  talked  a  little  bit  at  that  course  you  learned  about 

how  to  interpret  data.  Did  you  learn  how  to  interpret  Intelink  logs? 

A.  Specifically  Intelink  logs  were  not  mentioned  in  the 
course . 

Q.  At  that  course  you  learned  how  to  interpret  logs.  Are  all 
logs  created  equally,  that  is,  do  logs  for  Intelink  look  the  same  as 
logs  for  Google  or  logs  for  ESPN.com? 

A.  No.  Most  logs  will  have  some  uniqueness  to  them,  either 
the  formats  or  the  type  of  data  that's  contained  in  the  logs.  That 
will  be  dependent  upon  where  you're  obtaining  the  logs  from. 

ADC [CPT  T00MAN] :  Your  Honor,  we  have  no  further  questions, 

but  we  would  renew  our  objection  as  to  this  witness's  knowledge  of 
Intelink  logs  and  their  interpretation. 
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MJ:  All  right.  Thank  you.  It's  overruled.  Proceed. 

DIRECT  EXAMINATION  (Continued) 

Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Agent  Mander,  what  document  is  reflected  in  Line  19? 

A.  In  Line  19  there's  an  IP  address  followed  by  a  date  and 
time  and  then  followed  by  what  appears  to  be  the  actual  raw  data  of 
what  looks  like  it's  a  search  on  Intelink. 

Q.  What  is  the  first  IP  address? 

A.  In  Line  19  the  IP  address  is  22.225.41.40. 

Q.  And  what  was  the  search  for? 

A.  The  search  appears  to  be  for  an  HR  and  it  looks  like  the 
IIR  is  the  same  IIR  that  you  previously  showed  me. 

ATC [CPT  von  ELTEN]:  Your  Honor,  the  United  States  moves  to  admit 
Prosecution  Exhibit  99  for  Identification  into  evidence. 

ADC [CPT  TOOMAN] :  No  objection. 

MJ:  Prosecution  Exhibit  99  for  Identification  is  admitted  into 

evidence.  May  I  see  it,  please? 

ATC [CPT  von  ELTEN]:  Retrieving  Prosecution  Exhibit  99  from  the 
witness . 

MJ:  Before  you  do  that,  what  was  the  date  and  time  on  Line  19. 

WIT:  The  date  here  is,  it  looks  like  it's  14  February  2010,  and 
the  time  is  2334  hours,  and  it  appears  to  be  Greenwich  Mean  Time  or 
Zulu  time. 


8237 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


c 


o 


MJ:  Thank  you. 

ATC[  CPT  von  ELTEN] :  Handing  the  witness  Prosecution  Exhibit 

99.  Permission  to  publish. 

MJ:  Go  ahead. 

Questions  continued  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Agent  Mander,  can  you  please  read  Paragraphs  3  and  4? 

A.  Paragraph  3.  It's  unclassified  for  official  use  only 

paragraph.  It  reads,  'WikiLeaks  submission  guides  states  it, 

"accepts  classified,  censored,  or  otherwise  restricted  material  of 
political,  diplomatic  or  ethical  significance."  The  website  provides 
suggestions  for  the  anonymous  submission  of  material  and  several 
methods  of  submitting  material  for  inclusion  to  an  online  database. 
Methods  include  submission  via  secure  upload,  email  and  via  discrete 
postal  network.'  Paragraph  4  is  an  unclassified  for  official  use 
only  marked  paragraph.  'Since  December  '06  numerous  classified  and 
FOUO  documents  have  been  posted  and  continue  to  be  available  on 
WikiLeaks.org  site  and  its  mirrors.  Some  of  these  postings  have 
garnered  the  attention  of  major  news  media  outlets,  yet  intelligence 
reporting  has  largely  ignored  these  leaks.  This  report  is  being 
issued  in  an  attempt  to  raise  the  awareness  of  this  threat.  Some  of 
the  documents  discovered  on  the  WikiLeaks  website  are  listed  below:' . 

ATC [  CPT  von  ELTEN]:  I'm  retrieving  Prosecution  Exhibit  99. 

Q.  Agent  Mander,  what  is  a  mirror? 
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A.  As  we  discussed  yesterday,  a  mirror  is  like  an  alternate 
version  of  a  website  that  generally  reflects  the  content  of  the 
original  site. 

Q.  And  what  is  the  purpose  of  a  mirror? 

A.  Well,  there's  many  purposes.  Sometimes  use  that  for 
redundancy  in  case  the  primary  website  goes  down,  you'll  have  an 
alternate  that  users  can  - 

MJ:  Yes. 

ADC [CPT  TOOMAN] :  We'll  renew  our  objection  from  yesterday 

that  this  witness  doesn't  have  personal  knowledge  of  why  a  website 
would  use  a  mirror. 

MJ:  Overruled. 

A.  So  redundancy,  or  generally  redundancy  I  guess  would 
probably  be  the  best  way  to  say  it. 

ATC  [CPT  von  ELTEN] :  Thank  you.  No  further  questions. 

MJ:  Cross  examination. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Agent  Mander,  you  talked  about  the  Intelink  logs  and  you 
looked  at  those.  From  the  Intelink  logs  you  can't  tell  if 
Prosecution  Exhibit  99  was  printed,  correct? 

A.  That  would  be  correct. 
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Q.  You  also  can't  tell  if  it  was  saved,  a  copy  was  saved  by 
the  user? 

A.  That  would  also  be  correct. 

Q.  You  really  can't  tell  if  the  user  of  that  particular 
machine  even  looked  at  the  document,  correct? 

A.  That's  also  correct. 

Q.  You  talked  a  little  bit  about  the  contents  of  that 
document.  I  guess  the  document  talked  about  WikiLeaks  accepting 
political,  diplomatic  and  ethical  contributions,  correct? 

A.  Yes. 

Q.  It  didn't  talk  about  accepting  contributions  that  would 
help  a  military,  correct? 

A.  Can  I  see  the  document  again? 

ADC [CPT  TOOMAN] :  Sure.  I'm  going  to  retrieve  Prosecution 

Exhibit  99  and  hand  that  to  the  witness. 

A.  Can  you  repeat  your  question? 

Q.  I'm  going  to  go  ahead  and  retrieve  the  exhibit  from  the 
witness . 

A.  Is  it  possible  that  I  can  keep  this  while  you  ask  your 
question? 

Q.  Sure.  You  were  referred  to  Paragraphs  2  and  3  by  the 
prosecution  and  they  talked  about  WikiLeaks  accepting  political 
they  wanted  things  that  would  be  of  political  significance,  correct 
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A.  Correct. 

Q.  They  be  wanted  things  that  would  be  of  diplomatic 
significance? 

A.  Yes. 

Q.  And  they  wanted  things  that  would  be  of  ethical 
significance,  correct? 

A.  According  to  that  paragraph. 

Q.  And  nothing  in  that  paragraph  suggests  that  WikiLeaks  was 
wanting  contributions  that  would  be  of  military  significance, 
correct? 

A.  It  doesn't  mention  military,  but  it  does  mention 
governments  and  corporations  of  various  countries. 

Q.  Okay.  Governments  and  corporations? 

A.  I  guess  you  could  infer  military  is  part  of  the  government. 

Q.  Okay.  Now,  that  document  talks  about  a  number  of 
classified  materials  that  were  released  by  WikiLeaks,  correct?  You 
talked  about  that  with  the  prosecution. 

A.  It  does,  yes. 

Q.  And  there's  nothing  in  that  document  that  says  that  the 
enemy  viewed  those  releases,  is  there? 

A.  If  you  give  me  a  moment  here. 

Q.  Sure. 
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A.  No,  it  doesn't  specifically  mention  any  enemies  having 
access  to  the  documents. 

ADC [CPT  TOOMAN] :  Okay.  I'm  going  to  go  ahead  and  retrieve 

the  exhibit  from  you.  Agent  Mander.  Thank  you.  And  give  that  back 
to  the  court  reporter.  And  no  further  questions,  ma'am. 

MJ:  Redirect. 

ATC [CPT  von  ELTEN] :  Nothing,  Your  Honor. 

MJ:  All  right.  Temporary  excusal? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  to  read  a 
stipulation. 

MJ:  Just  one? 

TC [MAJ  FEIN]:  Ma'am,  this  is  Prosecution  Exhibit  112, 
Stipulation  of  Expected  Testimony  for  Lieutenant  Colonel,  Retired, 
Martin  Nehring  dated  10  June  2013.  It  is  hereby  agreed  by  the 
Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Lieutenant 
Colonel,  Retired,  Martin  Nehring  were  present  to  testify  during  the 
merits  and  pre-sentencing  phase  of  this  court-martial,  he  would 
testify  substantially  as  follows: 

1.  I  am  a  retired  lieutenant  colonel  in  the  United  States 
Air  Force.  I  have  a  BS  in  Petroleum  Engineering  from  New  Mexico 
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Institute  of  Mining  and  Technology  in  1982.  I  received  a  Masters  of 
Public  Administration  from  Troy  University  in  1995.  I  began  serving 
on  active  duty  in  the  United  States  Air  Force  in  1985  as  a  second 
lieutenant.  During  my  career,  I  spent  12  years  on  active  duty  and  16 
years  in  the  California  Air  National  Guard.  I  retired  in  2012.  I 
deployed  in  Kuwait,  excuse  me,  I  deployed  to  Kuwait  in  2001  with  the 
Third  Army.  I  also  deployed  to  Kosovo  in  2002  for  Weather 
Operations.  In  2006,  I  deployed  to  Afghanistan  and  ran  all  weather 
operations  in  Afghanistan.  Throughout  my  career  in  the  Air  Force  as 
a  trained  meteorologist,  I  possessed  a  Top  Secret  clearance  and 
handled  Top  Secret  information.  I  handled  classified  information  at 
the  beginning  of  my  service  in  1985  and  had  training  in  how  to  handle 
and  identify  classified  information.  I  worked  with  classified 
information  at  all  times  during  my  military  career. 

From  2009  to  February  2012,  I  worked  at  United  States 
Central  Command,  USCENTCOM.  I  worked  in  a  Sensitive  Compartmented 
Information  Facility,  SCIF,  at  USCENTCOM.  Initially,  I  worked  at  the 
weather  desk.  After  USCENTCOM  discontinued  the  weather  desk,  I  was 
reassigned  under  the  USCENTCOM  Directorate  of  Operations  J-3,  as  the 
J-3  subject  matter  expert,  SME,  for  identifying  J-3  classified 
equities  within  United  States  Government  official  documentation.  In 
this  capacity,  I  was  primarily  responsible  for  reviewing  documents 
being  processed  under  the  Freedom  of  Information  Act,  FOIA,  which 
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belonged  to  or  contained  information  from  USCENTCOM  J-3.  For  FOIA 
requests,  I  reviewed  the  information,  excuse  me.  Your  Honor.  I 
reviewed  the  requested  information  for  classified  information  to 
determine  whether  the  document  could  be  released  under  the  FOIA. 
Additionally,  I  conducted  review  for  release  of  information  to  family 
members  of  Servicemembers  who  were  killed,  wounded,  or  kidnapped 
within  the  USCENTCOM  theaters  of  operations  and  the  media.  I  also 
conducted  separate  reviews  for  coalition  partners  because  the 
standards  were  different  for  each.  Family  members  and  the  media 
could  only  receive  unclassified  information.  Coalition  partners 
could  receive  certain  classified  information.  Classified  information 
in  a  document  could  not  be  released  under  the  FOIA  even  if  the 
remainder  of  the  document  contained  publicly  available  information 
because  the  information  is  still  protected. 

In  my  capacity  as  the  J-3  SME,  I  reviewed  documents 
pertaining  to  United  States  v.  Private  First  Class  Bradley  Manning , 
which  the  prosecution  provided  to  USCENTCOM.  The  documents  provided 
by  the  prosecution,  submitted  documents,  included,  among  others, 
documents  from  the  Combined  Information  Data  Network  Exchange  Iraq, 
CIDNE-I ,  the  Combined  Information  Data  Network  Exchange  Afghanistan, 
CIDNE-A,  other  documents  related  to  the  AR  15-6  investigation  of  the 
Farah  incident,  and  a  file  named  "BE22  PAX. zip"  containing  a  video 
named  "BE22_PAX . wmv"  the  Gharani  video. 
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I  was  tasked  though  the  J-3  Task  Management  Tool.  I 
received  the  submitted  documents  from  the  USCENTCOM  JAG  office.  My 
assignment  required  me  to  determine  whether  the  submitted  documents 
contained  classified  information  at  the  time  they  were  compromised. 

I  reviewed  the  documents  for  classified  USCENTCOM  J-3  equities. 

To  determine  whether  submitted  documents  were  classified  at 
the  time  of  compromise,  I  used  three  classification  guides.  I  used  a 
USCENTCOM  classification  guide  dated  before  Operation  Iraqi  Freedom, 
the  updated  version  of  that  USCENTCOM  classification  guide  dated 
during  Operation  Iraqi  Freedom,  and  the  version  of  the  USCENTCOM 
classification  guide  that  was  current  at  the  time  I  conducted  the 
classification  review.  I  did  not  consider  the  following  in  making 
any  determination:  One,  what,  if  any,  of  this  material  was  included 
in  open  source  reporting;  two,  what,  if  any,  of  this  material  was 
available  in  unclassified  publications,  such  as  Army  Regulations  or 
Field  Manuals;  and,  three,  what,  if  any,  of  this  material  may  have 
been  shared  at  the  tactical  level  during  the  key  leader  engagements 
described  below. 

I  applied  a  process-oriented  approach  towards  applying  the 
classification  guide  to  each  of  the  submitted  documents.  First,  I 
would  determine  the  date  of  the  document  and  use  the  classification 
guide  appropriate  for  each  document's  date.  I  would  determine  the 
document's  classification  at  the  time  the  document  was  created. 
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Documents  I  determined  that  were  unclassified  were  removed  from  the 
collection  of  submitted  documents.  In  fact,  I  approached  the 
documents  with  a  "FOIA  mindset"  and  tried  to  ensure  each  document 
was  not  actually  classified.  I  did  not  presume  any  document  was 
classified  and  reviewed  each  line  in  each  document  for  classified 
information. 

Second,  I  reviewed  the  document  to  determine  if  it  was 
classified  at  the  time  of  it  was  compromised  according  to  the 
appropriate  security  classification  guides.  I  reviewed  documents  for 
USCENTCOM  J-3  equities.  Documents  containing  intelligence  were  sent 
to  Mr.  Louis  Travieso  for  further  review  for  USCENTCOM  J-2  equities. 

I  conducted  a  line— by— line  review  and  reviewed  each  document  for 
USCENTCOM  J-3  equities  by  applying  specific  paragraphs  of  the 
classification  guides  from  the  appropriate  time  period.  Where  the 
reviewed  document  contained  USCENTCOM  J-3  equities  as  determined  by 
the  appropriate  USCENTCOM  classification  guide,  I  marked  the  document 
as  containing  information  I  believed  to  be  sensitive  and  classified. 

I  annotated  the  basis  for  each  classification  decision  in  my  sworn 
declaration  dated  19  October  2011,  which  is  Bates  Number 
0052737000527377.  Prosecution  Exhibit  86  for  Identification  is  my 
declaration.  All  documents  noted  in  the  declaration  contained 
classification  markings  at  the  Secret  level,  hereinafter  "J-3 
reviewed  documents". 
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The  J-3  reviewed  documents  consisted  of  documents  collected 
from  CIDNE-I,  CIDNE-A,  and  other  documents  related  to  the  Farah 
investigation,  and  the  Gharani  video.  The  reviewed  documents 
contained  military  information,  to  include  military  plans,  weapons 
systems,  or  operations;  foreign  government  information;  significant 
activity  reports  (SIGACTs) ;  operational  code  words  when  identified 
with  mission  operations;  SIGACTs  related  to  fact  of  and  general  type 
of  IED  attack  at  specific  locations  on  specific  dates  —  date; 
participating  units,  including  types  of  vulnerabilities,  locations, 
quantities,  readiness  status,  deployments,  redeployments,  and  details 
of  movements  of  US  friendly  forces;  concept  of  operations  (CONOPS) , 
operation  orders  (OPORD) ,  or  fragmentary  orders  (FRAGOs) ; 
vulnerabilities  or  capabilities  of  systems,  installations, 
infrastructures,  projects,  plans,  or  protection  services  relating  to 
national  security;  and  limitations  and  vulnerabilities  of  US  forces 
in  combat  area. 

CIDNE-I  and  CIDNE-A  contained  SIGACT  reports.  The  SIGACTs 
were  marked  as  Secret.  Within  the  SIGACTs,  several  categories 
appeared  multiple  times.  These  categories  include  key  leader 
engagements,  mission  report  logs,  reports  on  improvised  explosive 
devices,  IEDs,  and  tactics,  techniques,  and  procedures  (TTPs)  in 
response  to  IEDs,  and  reports  and  responses  for  missions  focused  on 
duty  status-whereabouts  unknown  (DUSTWUN) . 
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Key  leader  engagements  described  interactions  of  members  in 
the  military  with  local  leaders  in  Iraq  and  Afghanistan  regarding  a 
broad  range  of  topics.  Disclosure  of  the  key  leader  engagements 
would  reveal  foreign  government  activities,  the  involvement  of 
Servicemembers  with  local  foreign  leaders,  and  the  identities  of 
local  leaders. 

Mission  report  logs  describe  troop  movements,  activities, 
and  engagements  with  hostile  forces.  The  mission  report  logs 
describe  tactics,  troop  locations,  weapons  and  military  equipment 
used. 

IED  reports  detailed  the  casualties  inflicted  on 
Servicemembers,  the  locations  of  the  attacks,  and  TTPs  for  detecting 
and  responding  to  IED  attacks.  The  IED  reports  recount  the  attacks 
of  hostile  forces,  troop  locations,  and  the  capabilities  of  United 
States  forces. 

DUSTWUN  reports  stated  the  names  and  other  personal 
information  of  kidnapped  Servicemembers  and  the  TTPs  in  response  to 
locate  the  kidnapped  Servicemember .  The  DUSTWUN  reports  state  troop 
locations,  tactics,  encounters  by  military  forces  with  hostile  forces 
and  foreign  nationals. 

The  53  CIDNE-I  reports  that  contained  J-3  equities  are 
located  in  Appellate  Exhibit,  AE  501  and  that  have  the  Bates  Numbers, 
excuse  me,  Your  Honor,  00377912  through  00377918,  00377921  through 
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0377933,  00377935  through  00337938,  00377940  through  00377949, 

00377952  through  00377958,  00377960  through  00377963,  00377965 
through  00377980,  00377983  through  00377986,  00377988  through 
003778013,  and  00378016  through  00378026.  These  CIDNEI  reports  are 
contained  within  PE  88  for  ID.  The  36  CIDNE-A  reports  that  contained 
J  eguities  are  located  in  AE  501  and  that  have  the  Bates  Numbers 
00377846  through  00377846,  00377849  through  00377856,  00377860 
through  00377871m  00377874  through  00377883,  00377886  through 
00377905,  and  00377907  through  00377910.  The  CIDNE-A  reports  are 
contained  within  PE  89  for  ID. 

The  J-3  reviewed  documents  contain  SIGACT  reports  from 
CIDNE-I  that  I  determined  contained  classified  information  according 
to  the  applicable  security  classification  guides.  These  SIGACT 
reports  from  CIDNE-I  were  all  marked  Secret.  Additionally,  the  J-3 
reviewed  documents  certant  —  excuse  me,  Your  Honor,  the  J-3  reviewed 
documents  contain  SIGACT  reports  from  CIDNE-A  that  I  determined 
contained  classified  information  according  to  the  applicable  security 
classification  guides.  These  SIGACT  reports  from  CIDNE-I  and  CIDNE-A 
were  all  marked  Secret.  The  J-3  reviewed  documents  within  —  The  J-3 
reviewed  documents  within  PE  88  for  ID  and  PE  89  for  ID  contain 
multiple  forms  of  military  information,  to  include  but  not  limited  to 
the  following:  One,  threat  of  attack  in  an  area  by  a  specific  group; 
two,  confirmed  that  a  previously  reliable  source  of  intelligence 
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provided  information;  three  involved  direct  and  indirect  fire 
reports;  four,  reported  casualties;  five  reported  loss  of  equipment; 
six,  stated  types  of  weapons  encountered  in  an  enemy  engagement; 
seven,  reported  the  effectiveness  of  IED  attacks;  eight,  reported  the 
locations  of  IED  attacks;  nine,  identified  IED  TTPs  for  responding  to 
JED  attacks;  ten,  identified  TTPs  for  identifying  and  neutralizing 
JEDs;  eleven,  identified  by  name  suspects  in  investigations;  twelve, 
identified  quick  response  force  mobilization  TTPs;  thirteen, 
identified  code  words;  fourteen,  involved  friendly  action  reports; 
fifteen,  stated  details  of  military  missions;  sixteen,  named  multiple 
enemy  groups;  seventeen,  reported  lack  of  casualties;  eighteen, 
reported  lack  of  loss  of  equipment;  Nineteen,  identified  general 
enemy  TTPs;  twenty,  involved  an  enemy  small  arms  fire  report;  twenty- 
one,  identified  enemy  target  by  name;  twenty-two,  stated 
effectiveness  of  enemy  actions;  twenty-three,  described  a  military 
raid;  twenty-four,  identified  sources  and  methods  of  intelligence 
collection;  twenty-five,  identified  responses  based  on  intelligence 
gathered;  twenty-six,  detailed  arrest  of  a  suspect;  twenty-seven, 
stated  detention  of  a  suspect  would  have  a  significant  impact  on 
military  operations;  twenty-eight,  described  friendly  action  of 
finding  and  clearing  caches;  twenty-nine,  involved  a  border 
operations  report;  thirty,  described  a  civil  disturbance;  thirty— one, 
identified  unit  locations;  thirty-two,  reported  enemy  casualties; 
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thirty-three,  stated  planned  unit  movement;  thirty-four,  stated 
details  of  combat  patrols;  thirty-five,  described  key  leader 
engagement;  thirty-six,  assessed  effectiveness  of  local  outreach 
programs;  thirty-seven,  detailed  kidnapping  of  Servicemember  of  a 
Servicemember;  and  thirty-eight,  described  initiation  of  DUSTWUN 
procedures . 

Additionally,  I  reviewed  documents  from  the  AR  15-6 
investigation  into  a  military  operation  that  occurred  in  Farah 
province,  Afghanistan  on  or  about  4  May  2009.  The  AR  15-6 
investigation  into  the  Farah  incident  was  focused  on  investigating 
the  circumstances  surrounding  a  large-scale  civilian  casualties, 
CIVCAS ,  incident.  The  incident  occurred  in  Gharani,  which  is  a 
village  in  Farah  Province,  Afghanistan.  The  documents  from  the  AR 
15-6  investigation  that  contained  J-3  equities  are  located  in  AE  501 
and  that  have  the  Bates  Numbers:  00377425  through  00377492,  00377496 
through  00377498,  00377627  through  00377637,  00377674  through 
00377675,  and  003778029  through  003778081.  These  documents  are 
contained  within  PE  90  for  ID.  As  noted  in  PE  90  for  ID,  I  found 
that  these  documents  contained  information  I  believed  to  be  sensitive 
classified  because  they  reveal  operational  activities,  weapons 
systems,  and  code  words. 

As  part  of  my  review  of  the  Farah  documents,  I  reviewed  a 
file  named  "BE22  PAX. zip"  containing  a  video  named  "BE22  PAX.wmv" 
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hereinafter  Gharani  video.  PE  20  —  excuse  me,  Your  Honor,  PE  66  for 
ID  is  a  CD  that  contains  both  files  I  reviewed.  The  Gharani  video 
depicts  portions  of  a  military  operation  in  the  Farah  Province, 
Afghanistan.  The  Gharani  video  reveals  operational  code  words 
associated  with  the  mission.  The  video  also  reveals  operational 
activities  including  troop  movements  and  weapons  systems.  Finally, 
the  video  includes  specific  information  contained  on  the  heads-up 
display. 

After  my  review  of  the  above  referenced  documents  for 
USCENTCOM  J-3  equities,  I  forwarded  my  conclusions  and 
recommendations  to  Deputy  Commander,  USCENTCOM,  an  Original 
Classification  Authority,  for  his  determination  as  to  whether  the 
information  is  properly  classified. 

Your  Honor,  the  United  States  moves  to  admit  Prosecution 
Exhibits  88  and  89  for  Identification  as  Prosecution  Exhibits  88  and 
89. 

ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  All  right.  Prosecution  Exhibits  88  and  89  are  admitted. 

May  I  see  them,  please?  Prosecution  Exhibits  89,  excuse  me,  88  and 
89  are  admitted. 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  moves  to  admit 
Prosecution  Exhibits  86  and  90  for  Identification  as  Prosecution 
Exhibits  86  and  90. 
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ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  All  right.  Prosecution  Exhibits  86  and  90  are  admitted. 

ATC [CPT  von  ELTEN] :  Your  Honor,  I  have  Prosecution  Exhibit  106, 
a  Stipulation  of  Expected  Testimony  of  Mr.  Jacob  Grant. 

MJ:  That's  106? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  Proceed. 

ATC [CPT  von  ELTEN]:  It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel  and  Trial  Counsel  that  if  Mr.  Jacob  Grant  were  present  to 
testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

I  currently  serve  as  Contract  Task  Lead  for  CCJ6,  assigned 
to  the  Active  Cyber  Defense  Branch  at  U.S  Central  Command's 
Headquarters,  USCENTCOM  on  MacDill  Air  Force  Base  in  Florida.  In 
this  capacity,  I  am  responsible  for  conducting  various  levels  of 
cyber  operations  for  USCENTCOM  and  Overseas  Areas  of  Responsibility 
(AOR)  including  computer  network  defense  (CND)  activities,  computer 
network  attack  (CNA) ,  planning  and  analysis,  and  the  analysis  and 
reverse  engineering  of  computer  network  exploitation  (CNE)  activities 
in  order  develop  effective  countermeasures.  I  am  the  lead  for  our 
"in-house"  Computer  Emergency  Response  Team,  C-E-R-T,  CERT.  In  this 
capacity  —  In  this  capacity,  I  perform  in-depth  forensic  analysis  of 
CND  alerts,  flow  analysis,  or  interpretation  of  threat  information  to 
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include  security  compromises,  network  intrusions,  and  malicious  logic 
outbreaks.  I  have  held  this  position  for  four  and  a  half  years.  At 
the  time  of  my  involvement  in  this  case,  I  was  the  Senior  INFOSEC 
Analyst  with  the  Information  Assurance  (IA)  Branch  of  the  J-6 
USCENTCOM.  I  have  also  been  an  IA  watch  officer,  a  senior  analyst, 
and  a  senior  engineer.  I  served  for  2  years  as  an  enlisted  Airman 
working  in  technical  control  and  network  engineering. 

I  am  a  certified  Information  Systems  Security  Professional, 
CISSP,  2008.  I  have  a  Top  Secret/SCI  security  clearance.  I  have 
associate  degrees  in  Electronic  Systems  Technology  and  Avionics 
Systems  Technology.  I  am  a  Cisco  Certified  Network  Associate,  CCNA, 
2003,  and  a  CORE  Impact  Certified  Professional,  CICP,  2013.  Some  of 
the  network  security  and  associated  training  I  have  received 
includes:  McAfee  Network  Security  Platform  Administration,  2013; 

ArcSight  ESM  Use  Case  Foundations,  2012;  EnCase  Computer  Forensics  1, 
2012;  Arc  Sight  Logger  5.0  Administration  and  Operations,  2011; 

Basic  Malware  Analysis  Using  Responder  Professional,  2010;  Ethical 
Hacking,  2008;  McAfee  Host-Based  Security  Systems,  2007;  Information 
Technology  Service  Management,  ITSM,  2007;  and  Cisco  Securing 
Networks  with  PIX  &  ASA,  SNPA,  2007 . 

I  became  involved  in  this  case  for  two  reasons.  From  19 
through  20  August  2010,  I  was  involved  in  the  collection  and  transfer 
of  audit  logs  from  the  USCENTCOM  SharePoint  on  the  USCENTCOM  SIPRNET 


8254 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


web  server.  At  this  time,  I  was  also  involved  in  the  identification, 
collection,  and  transfer  of  information  housed  within  the  —  that 
SharePoint  site.  Our  collection  focused  on  the  SharePoint  because  I 
had  identified  it  as  the  location  of  charged  documents  based  upon  the 
SIPRNET  web  page  address  of  those  documents.  Further,  Special  Agent 
John  Wilbur,  with  whom  I  was  working,  was  interested  in  the  contents 
of  the  USCENTCOM  JAG  folder. 

The  USCENTCOM  SharePoint  server  is  a  tool  to  create  an 
internet  interface  that  allow  users  with  access  to  the  site  on 
SIPRNET  to  collaborate,  for  example,  by  sharing  files.  The 
SharePoint  itself  is  only  accessible  via  SIPRNET,  so  a  user  must 
access  it  via  secure  systems.  At  that  time,  it  was  identified  at  IP 
addresses  131.240.47.23,  for  the  SharePoint  database  cluster,  1.3  — 
131.240.47.6,  and  131.240.47.7,  for  the  web  portal  front  end  or  the 
portion  accessible  by  SIPRNET  users.  The  database  as  a  whole 
occupied  several  terabytes  of  space.  The  server  supporting  it,  from 
which  I  pulled  the  logs  and  other  information  at  issue,  is  physically 
housed  on  virtual  machines  within  a  cluster,  in  a  data  center,  on  a 
storage  area  network  (SAN) .  Only  authorized  USCENTCOM  Headquarters 
J-6  personnel  are  granted  access  to  the  facility.  The  data  center 
is  protected  by  badge  access,  cipher  locks,  video  surveillance,  and 
an  access  roster. 
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The  audit  logs  I  referenced  herein  are  Internet  Information 
Systems,  IIS,  or  Windows  server  log  files,  which  capture  the  IP 
address  of  the  USCENTCOM  SharePoint  server.  The  logs  do  not  capture 
any  remote  or  external  IP  addresses.  The  logs  only  capture  the  dates 
and  times  documents  are  accessed  on  the  SharePoint  server,  as  well  as 
related  activity  on  the  SharePoint  server. 

For  collection  as  evidence  by  Special  Agent  Wilbur,  these 
logs  were  pulled  by  the  internet  server  maintenance  team.  I  know 
this  because  I  was  there  when  they  retrieved  the  information.  These 
logs  saved  in  a  standard  text  file,  or  . txt  format.  I  burned  these 
logs  onto  a  hard  drive  and  also  onto  a  DVD.  I  know  these  devices 
were  clean  of  data  because  I  personally  wiped  all  information  from 
the  hard  drive  and  laptop,  and  created  an  image  —  or  created  the 
image  for  the  hard  drive  on  which  the  logs  were  burned.  Further,  I 
performed  a  hash  value  match  to  verify  that  the  logs  provided  were 
saved  accurately  onto  the  disk.  The  DVD  was  red.  I  marked  it  with 
the  title  CIE_USR_DATA.  This  DVD  contained  the  files 
CENTCOM  CIE  SharePoint-HASH-MD5SHAl.pdf,  CENTCOMHQ_CIE_SharePoint- 
HASH_MD5SHAl.txt,  webl.zip,  and  web2.zip.  The  first  two  files 
contain  the  hash  value  information  validating  the  accuracy  of  the  log 
information  collected.  Webl.zip  contained  the  web  log  information  -- 
or  web  log  data  from  1  December  2009  until  30  July  2010,  pertaining 
to  the  USCENTCOM  server  assigned  IP  address  131.240.47.6.  Web2.zip 
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contained  web  log  data  from  1  April  2010  until  30  July  2010, 
pertaining  to  the  USCENTCOM  server  assigned  to  IP  address 
131.240.47.7.  Prosecution  Exhibit  108  for  Identification  are  these 
SharePoint  server  logs. 

After  burning  the  log  information  to  the  DVD,  I  signed  the 
evidence  to  Special  Agent  Wilbur  using  the  provided  DA  Form  4137 
Evidence  Property  Custody  Document.  This  —  The  disk  was  recorded  on 
a  DA  Form  4137  labeled  as  document  number  DN122-10.  I  recognize  this 
as  Bates  Number  004111111.  I  know  this  because  I  signed  that  form 
and  recognize  my  signature  on  it.  I  would  recognize  the  evidence 
itself  because  I  wrote  the  label  on  the  disk  and  burned  it.  I  did 
not  alter  the  information  or  the  devices  on  which  it  was  housed  in 
any  way. 

The  information  housed  on  the  SharePoint  server,  mentioned 
previously,  was  accessed  via  SIPRNET  and  located  in  the  JAG  folder  on 
the  USCENTCOM  SharePoint  page.  We  collected  this  information  for  two 
reasons.  First,  this  information  shows  what  content  was  originally 
available  on  the  USCENTCOM  server  to  SIPRNET  users.  Second,  this 
information  helps  pull  the  log  data  we  collected  —  put  the  log  data 
we  collected  into  context. 

I  assisted  Special  Agent  Wilbur  in  collecting  this 
information  from  the  SharePoint  server.  To  retrieve  it,  we  used  two 
blank  CCIU  SATA  hard  drives.  I  know  these  are  clear  hard  drives 
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because,  in  accordance  with  USCENTCOM  policy,  I  scanned  them  for 
malware  and  viruses  before  they  were  used  to  gather  the  evidence. 
Having  found  none,  I  knew  they  were  suitable  for  evidence  collection. 
To  collect  this  information,  we  also  used  an  approved  CCIU  laptop.  I 
hooked  this  laptop  to  the  SIPRNET  using  a  CCIU-issued  USB  cable  and 
drive  dock.  We  then  connected  the  previously  scanned  hard  drive  to 
the  laptop.  Special  Agent  Wilbur  used  that  connection  to  recover  the 
information  at  issue. 

Ma'am,  the  United  States  moves  to  admit  Prosecution  Exhibit 
108  for  Identification  as  Prosecution  Exhibit  108. 

ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  All  right.  May  I  see  it,  please? 

ATC [CPT  von  ELTEN] :  Your  Honor,  if  we  may  mark  this  for  the  next 
recess . 

MJ:  That's  fine. 

ATC [CPT  von  ELTEN]:  Your  Honor,  I  have  Prosecution  Exhibit  72 
which  is  the  Stipulation  of  Expected  Testimony  of  Special  Agent  John 
Wilbur . 

MJ:  Proceed. 

ATC [CPT  von  ELTEN]:  It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel,  and  Trial  Counsel,  that  if  Special  Agent  John  Wilbur  were 
present  to  testify  during  the  merits  and  pre-sentencing  phases  of 
this  court-martial,  he  would  testify  substantially  as  follows: 
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I  am  currently  the  Special  Agent  (SA)  at  the  Computer 
Forensic  Unit  in  the  Office  of  the  Special  Inspector  General  for  the 
Troubled  Asset  Relief  Program,  TARP,  at  the  Treasury  Department.  In 
this  position,  I  collect  and  examine  digital  evidence  to  support 
criminal  investigations.  I  have  held  this  position  since  January  of 
2010.  Previously,  I  was  an  SA  for  the  Department  of  the  Army's 
Criminal  Investigation  Command  (CID)  Computer  Crimes  and 
Investigative  Unit,  CCIU.  I  held  that  position  from  June  of  201  to 
January  of  201.  As  a  CCIU  SA,  I  investigated  the  unauthorized 
exfiltration  of  classified  and  sensitive  data  and  the  loss  of 
personally  identifiable  information,  PII,  data  worldwide.  I  also 
investigated  intrusions  into  Army  computer  systems.  I  currently  have 
over  20  years  of  law  enforcement  —  law  enforcement  experience,  15of 
which  have  been  primarily  devoted  to  conducting  complex  criminal  and 
administrative  cyber-related  investigations. 

I  have  had  substantial  training  to  qualify  me  for  my 
position.  I  received  Department  of  State  Law  Enforcement  Training  in 
2005,  CID  Law  Enforcement  Training  in  2002,  and  Police  Officer 
Training  in  1990.  In  addition  to  the  evidence-handling  training 
included  in  these  courses,  I  also  attended  the  Advanced  Crime  Scene 
Investigations  Course  at  the  Federal  Law  Enforcement  Training  Center 
in  Glynco,  Georgia,  May  2008.  At  the  time  of  my  involvement  in  this 
Investigation,  my  cyber  security  and  forensic  evidence  experience  was 
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on  by  Guidance  Software,  the  makers  of  the  EnCase  forensic  tool;  I 
had  attended  the  Seized  Computer  Evidence  Recovery  Specialist 
Certification  Course,  October  2001,  at  the  Federal  Law  Enforcement 
Training  Center;  and  I  had  attended  FT210,  Windows  Forensic 
Examinations  through  the  Defense  Cyber  Investigations  Training 
Academy,  DCITA.  Further,  I  had  obtained  training  in  Law  Enforcement 
Technology,  April  2002,  through  the  University  of  Pittsburgh; 

Advanced  Data  Recovery,  March  2001,  and  Basic  Data  Recovery,  January 
200,  at  the  National  White  Collar  Crime  Center;  Operational 
Information  Security  I  and  II,  July  2000,  at  the  Defense  Information 
Security  Agency;  and  Computer  Search  and  Seizure,  June  2000,  through 
the  FBI  Academy.  I  have  continued  to  develop  my  skills  and 
expertise.  I  have  attended  training  in  Windows  7  Forensics  at  Access 
Data,  2000  —  December  2010,  the  Computer  Incident  Response  Course, 
April  2011,  and  a  course  on  Introduction  to  Networks  and  Computer 
Hardware,  December  2010,  through  DCITA. 

My  role  in  this  case  was  to  assist  in  witness  interviewing 
and  data  collection.  I  collected  evidence  from  the  United  States 
Central  Command,  USCENTCOM,  server  and  from  the  Department  of  State 
server,  DoS.  In  collecting  the  USCENTCOM  materials,  I  worked  with 
Mr.  Jacob  Grant  to  collect  both  the  server  logs  as  well  as 
information  from  a  particular  folder. 
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When  collecting  and  handling  evidence,  I  follow  several 
general  procedures.  After  collection,  I  review  the  evidence  property 
custody  document  for  the  appropriate  information.  I  fill  out  the 
date,  time,  place  of  collection  and  describe  the  evidence  collected. 

I  record,  for  example,  serial  numbers,  markings  for  identification, 
and  condition  description  matching  the  associated  evidence.  Further, 

I  ensure  that  the  necessary  information,  such  as  date  and  time,  are 
properly  and  accurately  recorded.  Lastly,  I  maintain  secure  custody 
of  the  evidence  prior  to  transferring  it  to  another  individual.  In 
addition  to  following  these  procedures,  when  transferring  to  or 
receiving  evidence  from  another  person,  I  am  also  sure  to  properly 
sign,  date,  and  note  the  reason  for  the  transfer. 

From  the  USCENTCOM  server,  Mr.  Grant  and  I  collected 
information  from  the  USCENTCOM  SharePoint  site  as  well  as  the  audit 
logs  which  track  access  to  the  site.  I  was  interested  in  this 
information  so  that  investigators  could  compare  compromised 
information  regarding  the  Farah  investigation  to  information  on  the 
USCENTCOM  server,  and  so  that  investigators  could  identify  computers 
which  were  used  to  retrieve  potentially  compromised  material.  Before 
Mr.  Grant  or  I  accessed  —  could  access,  imaged,  searched  for,  or 
extracted  any  information,  we  needed  special  authorization  from  Major 
General  Jones,  Chief  of  Staff,  USCENTCOM.  CCIU  forwarded  a  formal 
written  reguest  through  the  Office  of  the  Staff  Judge  Advocate  to  the 
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USCENTCOM  J-6  requesting  release  of  this  evidence  on  9  August  2010. 
This  request  was  approved  on  19  August  2010.  The  same  day,  I  worked 
with  Mr.  Grant  to  prepare  evidence  --  for  evidence  collection  by 
getting  in  order  the  equipment  we  would  need  for  collection.  Mr. 
Grant  ensured  that  the  laptop,  hard  drive,  and  cables  we  would  need 
were  clean  of  any  data  and  ready  for  use. 

The  following  day,  Mr.  Grant  collected  from  the  J  shop  — 
J-6  shop  a  DVD  containing  the  audit  logs  for  the  USCENTCOM  SharePoint 
server.  The  logs  show,  among  other  things,  the  date  and  time 
USCENTCOM  documents  were  accessed  on  the  SharePoint  server,  from 
December  2009  until  August  2010.  On  20  August  2010,  he  signed  that 
evidence  over  to  me.  I  took  possession  using  the  evidence  handling 
procedures  I  describe  herein  including,  but  not  limited  to, 
documenting  it  on  an  Evidence  Property  Custody  Document  DA  Form  4137, 
labeled  as  document  number  DN122-10,  Bates  Number  00411111.  Later 
that  same  day,  I  properly  signed  the  —  that  evidence  over  to  the 
CCIU  Evidence  Custodian,  Ms.  Tamara  Mairena.  At  no  point  did  I  alter 
the  DVD  or  its  contents.  I  have  no  reason  to  believe  it  suffered 
damage  or  contamination  in  any  way. 

In  addition  to  collecting  the  logs,  I  worked  further  with 
Mr.  Grant  to  access  and  collect  information  from  the  USCENTCOM 
SharePoint  collaboration  space  on  the  USCENTCOM  server.  SharePoint 
is  a  tool  produced  by  the  Microsoft  Corporation  to  create  an  internet 
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interface  which  allows  users  with  access  to  a  SIPRNET  website  to 
collaborate,  for  example,  by  sharing  files.  The  USCENTCOM  SharePoint 
itself  is  only  accessible  via  SIPRNET,  so  a  user  must  access  it  via 
secure  systems  and  a  proper  security  clearance.  The  server 
supporting  it,  from  which  Mr.  Grant  pulled  the  logs,  is  on  virtual 
machines  within  a  cluster,  in  a  data  center,  on  a  storage  area 
network  (SAN) .  Only  authorized  USCENTCOM  headquarters  J-6  personnel 
are  granted  access  to  the  facility.  The  data  center  is  protected  by 
badge  access,  cipher  locks,  video  surveillance,  and  an  access  roster. 
This  information  was  located  on  SIPRNET  in  the  JAG  folder  on  the 
USCENTCOM  SharePoint  page.  Mr.  Grant  assisted  me  in  locating  it  on 
the  system.  We  sat  at  his  workstation  to  pull  the  folder  contents. 

We  knew  where  to  focus  our  search  based  on  Mr.  Grant's  SIPRNET  web 
page  address  identifications  of  the  information  at  issue  and  because 
investigators  in  the  case  had  cause  to  suspect  the  charged 
information  was  housed  in  the  USCENTCOM  JAG  folder.  In  consultation 
with  investigating  forensic  examiner  Special  Agent  Dave  Shaver,  we 
determined  the  most  forensically  sound  way  to  collect  the  Farah 
information  itself,  as  well  as  information  about  how  it  was 
accessible  on  SharePoint,  was  to  navigate  through  the  series  of 
digital  folders  to  download  the  Farah  file  itself.  As  we  navigated 
through  the  folder  structure  on  the  SharePoint  server,  we  took 
screenshots  of  the  contents  of  each  folder  before  we  entered 
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subsequent  folder.  A  screenshot  is  the  process  of  obtaining  the 
digital  —  a  digital  copy  of  the  computer  screen,  similar  to  a 
photograph. 

During  the  morning  of  20  August  2010,  I  connected,  via  a 
USB  cable,  a  CCIU-issued  Voyager  drive  dock  to  the  laptop  which 
accessed  the  SharePoint  server  via  a  USB  cable.  I  connected  a  400 
gigabyte  Seagate  Barracuda,  SATA  drive  —  or  hard  drive,  serial 
number  3NF0DYJ1,  to  the  laptop  using  the  drive  dock  and  assigned  that 
drive  the  letter  X.  Using  Microsoft's  Internet  Explorer,  I 
navigated  to  the  SIPRNET  web  page  www.nonrel.cie.centcom.smil.mil. 
From  this  screen,  I  clicked  on  the  Organization  link.  I  captured  a 
screen  capture  of  this  page  —  I  created  a  screen  capture  of  this 
page  and  saved  it  in  a  folder  in  the  Desktop  Directory  called  screen 
shots.  From  this  screen,  I  clicked  on  the  Special  Staff  link.  I 
created  a  screen  capture  of  this  page  and  saved  it  in  the  screen 
shots  folder.  From  this  screen,  I  clicked  on  the  Judge  Advocate 
link.  I  created  a  screen  capture  of  this  page  and  saved  it  in  the 
screen  shots  folder.  From  this  screen,  I  clicked  on  the  JA  Document 
Page  link.  I  created  a  screen  capture  of  this  page  and  saved  it  in 
the  screen  shots  folder.  From  this  screen,  I  clicked  on  the  folder 
icon  Investigations.  I  created  a  screen  capture  of  this  page  and 
saved  it  in  the  screen  shots  folder.  From  this  screen,  I  clicked  on 
the  folder  icon  Farah.  I  created  a  screen  capture  of  this  page  and 
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saved  it  in  the  screen  shots  folder.  The  folder  Farah  contained  sub¬ 
folders  —  the  following  sub-folders:  Admin  Material,  Briefs,  Email, 
Investigations  Tabs,  Reports  and  EXSUMs,  Timelines,  and  Videos.  I 
navigated  to  each  of  the  sub-folders  and  created  a  screen  capture  for 
each  page  then  saved  it  in  the  screen  shots  folder.  The  screen  shots 
showed  how  the  SharePoint  portal  was  arranged  and  the  path  to  the 
Farah  folder. 

Prosecution  Exhibit  65  for  Identification  is  a  computer 
printout  that  shows  the  file  names  and  their  associated  paths  that  we 
navigated.  It  is  a  printout  of  a  directory  listing  showing  the 
filenames  of  each  file  and  folder  contained  within  the  Farah  folder 
on  the  USCENTCOM  Server  with  individual  line  numbers  printed  to  the 
left  of  the  listing.  It  lists  the  first  level  of  subfolders  within 
the  Farah  folder  alphabetically,  and  then  lists  the  filenames  of  the 
first  subfolder.  The  document  continues  this  process  of  listing 
subfolder  names  recursively,  until  all  files  and  their  filenames  in 
all  subfolders  have  been  listed. 

Later  in  the  day  on  20  August  2010,  I  recreated  the  folder 
Farah  on  the  Desktop  Directory  of  the  laptop  and  included  all  of  the 
subfolders  that  resided  in  the  Farah  folder.  I  then  downloaded  each 
individual  file  contained  in  the  folder  Farah  into  the  same  location 
inside  the  recreated  Farah  folder  on  the  Desktop  Directory  of  the 
laptop  computer.  After  verifying  that  all  of  the  files  downloaded 
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1  correctly,  I  installed  EnCase  version  6.14.3  on  the  laptop  computer. 

2  Using  EnCase,  I  created  a  logical  evidence  file  of  the  folder  Farah 

3  and  all  of  its  sub-folders.  The  logical  evidence  file  was  named  JA- 

4  Invest igations-FarahFolder . L01 .  An  MD5  hash  of 

5  46ell229a5d678cabf 9c3fa 683 9f 662c  was  obtained  and  recorded.  The 

6  logical  evidence  file  of  the  folder  Farah  was  placed  in  a  folder 

7  named  EnCase  on  the  root  of  the  X  drive  connected  to  the  laptop.  I 

8  also  copied  the  recreated  Farah  folder  and  all  of  its  sub-folders  and 

9  placed  them  onto  the  root  of  the  X  drive.  Subsequently,  the  folder 

10  Screen  Shots  was  then  copied  and  placed  on  the  root  of  the  X  drive  as 

11  well. 

12  When  beginning  the  process  of  navigating  through  the  JAG 

13  folder  to  obtain  the  Farah  contents,  I  was  not  required  to  enter  any 

14  login  or  password  window  on  the  main  page.  I  was  able  to  navigate  to 

15  any  page  and  access  all  folders  and  documents  in  the  document 

16  library,  including  the  SJA  Investigations  folder  and  the  Farah  folder 

17  without  ever  entering  any  authentication  or  credential  information. 

18  In  the  Farah  folder,  all  of  the  video  files  were  password  protected, 

19  including  a  file  named  BE22  PAX. zip  containing  a  video  named  BE22 

20  PAX.wmv.  We  therefore  also  requested  and  received  the  password  to 

21  unlock  the  file  named  BE22  PAX. zip  and  the  other  videos  from 

22  USCENTCOM.  PE  66  for  Identification  is  a  CD  containing  the  file 

23  named  BE22  PAX. zip  and  the  video  file  named  PE  —  excuse  me,  BE22 
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PAX.wmv.  PE  67  for  Identification  contains  the  password  for  the  file 
named  BE22  PAX. zip  which  I  received  from  USCENTCOM. 

Later  on  20  August  2010,  I  connected  a  400  —  a  second  400 
gigabyte  Seagate  Barracuda,  SATA  hard  drive,  serial  number  3NFOHTG4 , 
to  the  laptop  using  the  drive  dock  and  assigned  that  drive  the  letter 
Y.  I  then  recreated  the  process  a  second  time  placing  the  folder 
EnCase,  containing  the  EnCase  logical  evidence  file  for  the  folder 
Farah  —  the  recreated  folder  Farah,  and  the  folder  Screen  Shots  onto 
the  root  of  the  Y  drive.  The  second  evidence  drive  was  created  as  a 
backup  in  case  the  first  evidence  drive  suffered  a  failure. 

I  later  collected  as  evidence  two  SATA  hard  drives.  These 
SATA  hard  drives  each  contained  images  of  the  three  folders,  EnCase, 
Farah,  and  Screen  Shots,  copied  from  the  USCENTCOM  SharePoint  server 
IP  address  131.240.47.23,  which  was  documented  on  Evidence  Property 
Custody  Document,  EPCB  Document  Number  DN123-10,  identified  at  Bates 
Number  004111113.  In  processing  this  material,  I  handled  and 
transferred  the  evidence  as  I  have  been  trained.  At  no  point  did  I 
alter  any  evidence  I  collected.  I  have  no  reason  to  believe  this 
evidence  was  contaminated  or  damaged  in  any  way.  On  20  August  2010, 

I  properly  signed  this  evidence  over  to  Ms.  Tamara  Mairena,  the  CCIU 
Evidence  Custodian.  I  did  not  touch  this  evidence  again. 

Finally,  I  took  possession  of  the  firewall  logs  from  the 
Department  of  State  from  Special  Agent  Ron  Rock.  I  took  possession 
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of  this  evidence  on  15  October  2010.  He  provided  this  information  on 
a  silver  CD  marked  with  the  words  WikiLeaks  DoS  Firewall  Logs  13 
October  2010.  The  CD  had  a  red  U.S.  Government  Secret  sticker  on  it. 
I  recognize  it  as  an  official  sticker  because  I  have  handled 
classified  information  before.  I  handled  this  evidence  consistent 
with  procedures  as  I  have  been  trained  and  previously  described. 

Upon  taking  custody,  I  checked  to  ensure  the  evidence  I  was  receiving 
matched  the  description  on  the  DA  Form  4137,  labeled  as  DN151-1Q, 

Item  1,  identified  at  Bates  Number  004111151.  I  checked  the  date, 
time,  and  other  collection  information.  And  finally,  I  signed  in  the 
Received  By  column.  While  in  possession  of  this  evidence,  I 
maintained  positive  control.  I  did  not  alter  the  information  on  the 
CD.  I  have  no  reason  to  believe  this  evidence  was  damaged  or 
contaminated  in  any  way.  On  18  October  2010,  I  properly  signed  this 
evidence  over  to  Ms.  Mairena,  the  CCIU  evidence  custodian.  I  did  not 
touch  this  evidence  again.  PE  68  for  Identification  is  DN151-10, 

Item  1. 

Ma'am,  the  United  States  moves  to  admit  Prosecution 
Exhibits  65,  67,  and  68  for  Identification  as  Prosecution  Exhibits 
65,  68  —  67,  and  68  respectively. 

ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  May  I  see  them,  please?  Prosecution  Exhibit  67  for 

Identification  are  admitted.  Counsel? 
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ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

MJ:  I  have  Prosecution  Exhibit  67,  but  I  have  a  CD  that  says 

66. 

TC [MAJ  FEIN]:  66  has  already  been  admitted,  ma'am. 

MJ:  I  know,  but  there's  nothing  in  67. 

TC [MAJ  FEIN]:  I  will  retrieve  those  two  exhibits  from  the  court 
reporter.  Ma'am,  there  is  a  document  marked  in  this  folder. 

MJ:  Oh,  there  is  a  document  —  okay,  it's  not  a  CD  then? 

TC [MAJ  FEIN]:  There  is  a  single-page  document  that  accompanies 
the  CD. 

MJ:  And  Prosecution  Exhibit  68  is  admitted.  67  is  admitted. 

Now,  I  have  44  here,  is  that  another  one  that  - 

TC [MAJ  FEIN]:  No,  ma'am.  Ma'am,  also  we  have  found  in  the  bag 
Prosecution  Exhibit  108  earlier  that  was  going  to  be  marked  prior  to 
the  recess. 

MJ:  Prosecution  Exhibit  108  is  admitted.  I'm  looking  at  the 

time.  How  do  the  parties  want  to  proceed? 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  recommends  we  take  our 
lunch  recess. 

MJ:  All  right.  How  long  would  you  like? 

TC [MAJ  FEIN]:  Hour  and  15  minutes,  ma'am. 

MJ:  All  right. 
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TC [MAJ  FEIN]:  We're  also  trying  to  set  up  a  phone  call  and  the 
—  for  the  defense  to  talk  to  a  certain  witness.  If  that  happens,  we 
might  ask  for  more  time  during  the  recess. 

MJ:  What  do  you  think  the  likelihood  of  success  is  in  that?  Do 

you  just  want  to  make  it  until  1330? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR.  COOMBS]:  No  objection  to  that,  ma'am. 

MJ:  Court  is  recessed  until  1330. 

[The  court-martial  recessed  at  1201,  11  June  2013.] 

[The  court-martial  was  called  to  order  at  1337,  11  June  2013.] 

MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

the  parties? 

TC [MAJ  FEIN]:  Your  Honor,  all  parties  when  the  Court  last 
recessed  are  again  present.  Captain  Morrow  is  also  present. 

MJ:  Is  the  government  ready  to  proceed? 

ATC [CPT  von  ELTEN] :  The  United  States  calls  Mr.  Kenneth  Moser. 

MJ:  All  right.  I  didn't  ask  the  parties  if  there  are  any 

issues  we  needed  to  address,  I  assume  there  are  none? 

ATC [CPT  von  ELTEN]:  No,  ma'am. 

[END  OF  PAGE] 
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KENNETH  MOSER,  civilian,  was  called  as  a  witness  for  the  prosecution, 
was  sworn,  and  testified  as  follows: 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Are  you  Kenneth  Moser  of  Tampa,  Florida? 

A.  Yes,  sir. 

Q.  Mr.  Moser,  what  is  your  military  background? 

A.  I  spent  21  years  in  the  Air  Force  since  I  retired. 

Q.  What  did  you  do  in  the  Air  Force? 

A.  I  was  —  First  initially  I  did  9  and  a  half  years,  I  was  a 
Security  Police  K9  Handler,  and  then  I  cross  trained  into  the 
paralegal  field. 

Q.  When  did  you  retire? 

A.  In  2009. 

Q.  What  did  you  do  after  retirement? 

A.  I  got  hired  at  unit  Central  Command  working  as  the  Command 
Paralegal  Manager. 

Q.  What  do  you  do  as  Command  Paralegal  Manager? 

A.  I  oversee  office,  manpower,  budget  IT,  small  duties  as 
security  manager. 

Q.  And  where  are  you  assigned? 

A.  I  am  at  US  Central  Command  down  at  Tampa. 
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Q.  How  much  do  you  work  with  classified  information  at  that 
position? 

A.  On  a  daily  basis. 

Q.  What  are  some  of  the  ways  you  work  with  classified 
information? 

A.  Documents,  e-mails,  receive  a  lot  of  e-mails  that  are 
classified.  Like  I  said  handling  documents,  drafting  documents  that 
will  be  classified. 

Q.  How  do  you  identify  classified  information? 

A.  For  a  document  it  would  be  at  the  top  and  bottom  of  a  page. 
It  would  be  marked  what  the  classification  level  is.  Also  you'll  see 
paragraphs  that  are  marked  appropriately  so  you  might  have  one 
paragraph  that's  unclassified  and  the  next  paragraph  would  be  marked 
—  a  classified  marking. 

Q.  When  did  you  first  become  involved  in  this  case? 

A.  Approximately  3  years  ago  I'd  say. 

Q.  Let's  talk  a  little  bit  about  your  work  with  the  CENTCOM 
website.  What  do  you  do  with  the  CENTCOM  website? 

A.  I'm  the  Sharepoint  Portal  Manager. 

Q.  What  is  Sharepoint? 

A.  SharePoint  is  a  Microsoft  product  collaboration  tool  that 
our  command  uses  for  information  sharing  and  storage  of  documents. 

Q.  What  do  you  do  to  manage  it? 
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A.  Initially  when  we  went  to  our  newest  SharePoint  version  I 
built  the  sites,  the  look,  and  feel  of  them.  And  then  I  post 
documents  out  there,  set  up  folders,  set  up  different  libraries  for 
our  different  sections  in  our  office  that  they  can  then  use  to,  you 
know,  as  they  see  fit  for  their  sections. 

Q.  What  version  of  SharePoint  was  the  CENTCOM  website  running 
in  2009  to  2010? 

A.  It  would  have  been  SharePoint  2007. 

Q.  How  long  have  you  been  working  with  SharePoint  at  CENTCOM? 

A.  When  I  initially  got  there  in  2005  when  I  was  active  duty, 

I  got  there  in  2005  and  then  we  started  using  SharePoint  probably 
late  2007  -  2008  timeframe. 

Q.  Who  had  access  to  the  CENTCOM  website  in  2009  and  2010? 

A.  The  CENTCOM  overall  website?  Anybody  who  had  access  to  it, 

had  SIPR  access,  could  get  onto  CENTCOM  sites  and  had  a  lot  of 
information  from  our  components  that  they  could  get  on  there,  get 
information  if  they  needed  it. 

q.  Specifically  what  portion  do  you  manage? 

A.  I  manage  the  CCJA,  the  Staff  Judge  Advocates  portal  site. 

Q.  Who  had  access  to  that  SJA  portal  site  in  2009  and  2010? 

A.  For  the  home  page  anybody  who  had  access  to  the  SIPR  —  the 

CENTCOM  SIPR  page  could  get  access  to  our  home  page.  And  then  we  had 
a  legal  document  library  that  was  in  there  that  was  open  to  the 
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public.  And  then  we  had  a  few  other  sites  that  we  had  blocked  out 
some  other  permissions  just  for  personnel  inside  our  office. 

Q.  What  kind  of  information  was  in  the  legal  document  library? 

A.  We  just  tried  to  put  a  lot  of  information  out  there  for  our 

people  that  were  out  in  the  fields,  just  range  of  a  lot  of 
references,  checklists,  maybe  AMHS  messages,  FRAGOs .  Just 
information  that  they  might  need  to  do  their  duty. 

Q.  How  often  have  you  used  this  website  since  2005? 

A.  How  often  have  I  used  it?  When  we  started  using  it  in  late 

2007/2008  we  didn't  use  it  as  frequently  as  we  do  now.  With  the 
2010,  we  use  it  you  know,  almost  exclusively.  We  had  hung  the 
documents  out  there  over  a  period  of  time  and  so  I  would  say,  you 
know,  on  a  weekly  basis  we  do  a  little  bit  here  and  then  get  on  it, 
get  on  the  site  and  put  stuff  on  there. 

Q.  How  often  do  you  personally  use  it? 

A.  Myself?  Back  then  probably  I'd  say  once  a  week.  I  mean, 

to  get  on  the  CENTCOM  home  page  portal  site  every  day,  that's  your 
home  --  your  setting  on  your  home  page.  On  our  site,  you  know, 
couple  times  a  week  I'd  always  be  on  it. 

Q.  How  many  portals  were  there  in  2009/2010? 

A.  We  had  a  releasable  portal  and  non-releasable  portal. 

Q.  And  what  was  the  releasable  portal? 
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A.  Releasable  just  meant  that  it  was  open  to  some  of  our 

2 

coalition  countries.  When  you  went  on  there  it  had  a  purple  banner 

3 

and  it  read  RELTO,  and  then  the  countries,  like  Australia,  Great 

4 

Britain,  and  New  Zealand  for  example.  It  had  RELTO  those  countries 

5 

on  it. 

6 

Q.  What  kind  of  information  was  in  that  portal? 

7 

A.  On  the  REL  portal?  It  would  be  information  that  was  either 

8 

unclassified  or  information  that  was  releasable  to  those  countries 

9 

that  were  out  there. 

10 

Q.  What  was  the  non-releasable  portal? 

11 

A.  The  non-releasable  portal  was  for  US  only  or  Secret /NOFORN . 

12 

And  it  was  only  —  it  was  locked  down  to  just  those  US  personnel  that 

13 

had  access  to  the  SIPR. 

14 

Q.  Who  primarily  used  this  portal? 

15 

A.  The  Secret  portal?  Just  about  everybody  in  the  command 

16 

tended  to  use  the  Secret  non-releasable  more  than  they  did  the  REL. 

17 

It  was  easier  that  way  to  try  to  avoid  having  some  sort  of  spillage 

18 

than  putting  maybe  something  on  the  releasable  portal  that  shouldn't 

19 

be  there. 

20 

ATC [CPT  von  ELTEN] :  I'm  retrieving  Prosecution  Exhibit  91  for 

21 

Identification.  Permission  to  publish,  ma'am? 

22 

MJ:  Go  ahead. 
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[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  witness  and  the  Court.] 

Q.  Mr.  Moser,  can  you  see  that  on  the  screen? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  It's  a  snapshot  there  of  our  non-releasable  portal  page, 
the  CENTCOM  home  page  there. 

Q.  How  do  you  recognize  it? 

A.  We  got  our  leadership  there  in  the  center,  2007  version. 
That  was  who  the  leadership  was.  And  then  at  the  top  it  has  the 
Secret  SIPRNET .  That's  what  it  has  on  it.  So  and  then  of  course  the 
left-hand  corner,  that's  the  CENTCOM  logo,  and  it  says,  'United 
States  Central  Command  SIPRNET' .  That  was  our  —  That  was  our  home 
page. 

Q.  Does  this  accurately  reflect  how  the  website  looked  in 
2009/2010? 

A.  Yes,  sir,  it  did. 

Q.  What  is  accessible  from  this  web  page? 

A.  Most  of  the  stuff  on  the  left  side  would  have  been 
accessible  to  open  up  to  the  public  and  then  there's  a  banner,  it's 
not  shown  on  there,  that  goes  across  it.  It  had  all  the  different 
organization,  all  the  different  directorates.  They  would  have  drop 
down  menus  that  you  could  go  to  their  sites  as  well  their  home  pages. 
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Q.  Do  you  recognize  this  document? 

MJ:  What  is  that  document?  Is  it  part  of  the  same  exhibit? 

ATC [CPT  von  ELTEN] :  Yes,  this  is  all  part  of  the  same  exhibit, 
ma'  am. 

A.  That  is  a  snapshot  of  our  CCJA,  the  Staff  Judge  Advocate's 
home  page  of  the  non-releasable  portal  site. 

Q.  How  would  a  user  navigate  to  the  home  page? 

A.  From  the  home  page  they  could  have  gone  to  the  organization 
and  seen  Special  Staff  and  JA  would  have  fell  underneath  the  Special 
Staff  and  that's  why  it  has  a  non-releasable  JA  site  there. 

Q.  How  do  you  recognize  it? 

A.  Those  were  personnel  that  were  in  our  office  that  they  have 
and  over  on  the  left-hand  side,  the  areas  of  expertise,  CENTCOM  legal 
document  library.  Post  government  employment.  Those  are  all  stuff 
that  were  on  our  site. 

Q.  Do  you  recognize  this  document? 

A.  Yes,  sir.  That  is  —  It  looks  like  all  the  folders  that  we 
had  at  the  time  in  our  CENTCOM  legal  document  library. 

Q.  How  often  did  you  work  with  this  library? 

A.  Like  I  said,  maybe  a  few  times  a  week  back  then,  depending 
on  what  folder.  We  might  get  one  document  that  you  would  hang,  you 
know,  document  in  it  or  one  PDF  file  in  a  particular  folder. 

Q.  Who  at  CENTCOM  used  this  library  primarily? 
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A.  This  is  open  to  our  command  and  it  was  open  to  those 
personnel,  like  I  said,  that  were  in  theater  that  could  have  access 
to  this  page.  This  is  where  we  tried  to  hang  a  lot  of  information 
out  there  for  personnel  to  get  access  to. 

Q.  Do  you  recognize  this  page? 

A.  Yes,  sir.  That's  a  —  Farah  was  an  investigation  that  we 
had.  It  was  under  the  investigations  library.  That  was  our  folder 
under  the  CENTCOM  legal  document  library. 

Q.  What  was  the  Farah  investigation? 

A.  It  was  a  CIVCAS  investigation  from  Afghanistan,  civilian 
casualty. 

Q.  When  was  this  —  when  was  this  folder  on  CENTCOM' s  website? 

A.  Back  around  2008  when  we  had  the  SharePoint  site  we 

started,  this  would  be  one  of  the  folders  that  we  created  under  the 
investigation  folders. 

Q.  What  was  the  investigations  folder  used  for  primarily? 

A.  We  had  put  some  of  the  investigations  out  there  just  kind 
of  a  storage  place  for  documents. 

Q.  Who  primarily  accessed  this? 

A.  Mainly  it  was  personally  in  our  office,  like  I  said, 
anything  under  the  CENTCOM  legal  document  library  was  opened  up  to 
those  US  personnel  that  had  access  to  it. 

Q.  How  would  somebody  navigate  to  this  folder? 
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A.  Under  the  CENTCOM  legal  document  library  you  would  have  had 
a  folder  called  investigations.  They  would  click  on  that  folder  and 
it  brought  up  this  particular  investigation. 

Q.  Do  you  recognize  this  document? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  Those  were  subfolders  under  the  Farah  investigation. 

Q.  And  what  would  have  been  in  these  folders. 

A.  It  would  have  been  information  contained  from  the 
investigation.  You  see  the  folders  names,  e-mails,  it  might  have 
just  been  some  e-mails  dealing  with  logistics  or  the  people  that  were 
investigating  it  or,  you  know,  e-mails  from  investigation  briefs. 

It  has  some  EXSUMS  and  there's  videos,  which  would  contain  videos  of 
the  investigation. 

Q.  When  would  this  folder  have  been  on  the  CENTCOM  website? 

A.  During  the  same  time  it  was  created  when  the  Farah 

investigation  folder  was  started. 

Q.  Who  had  access  to  it? 

A.  Once  again,  the  same  personnel.  It's  been  open  to  those 
personnel  that  had  access  to  the  CENTCOM  non-releasable  portal  site. 

Q.  Do  you  recognize  this? 

A.  Yes,  sir. 

Q.  What  is  it? 
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A.  Those  were  folders,  zip  files  that  had  videos  in  it  that 
were  included  in  the,  they're  under  the  video  folders  of  the  Farah 
investigation. 

Q.  Why  were  they  there? 

A.  They  were  there  as  part  of  the  whole  investigation  that  was 
out  there  on  the  site. 

Q.  What  does  the  icon  to  the  left  of  BE22PAX  indicate? 

A.  The  icon  underneath  the  type? 

Q.  Yes. 

A.  That  was  a  zip  file.  That's  where  —  that  contained  the 
videos  were  inside  of  that  folder  so  if  you  click  on  that  it  takes 


to 

where  the  video  was 

;  BE22  was 

a  video. 

Q. 

Were  they  protected? 

A. 

No,  sir. 

Q. 

By  password? 

A. 

You  should  have 

been  able 

to  access  them. 

Q. 

When  would  this 

be  on  the 

website? 

A 

Same  timeframe. 

right  after  the  investigation  was 

completed,  2008  somewhere  around  there. 

Q.  And  who  had  access  to  it? 

A.  The  same  personnel  that  had  access  to  the  CENTCOM  legal  doc 
library  and  the  CCJA  —  or  in  the  CENTCOM  home  page. 
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Q.  Mr.  Moser,  was  that  file,  the  zip  file,  protected? 

A.  The  file,  it  is  protected  now.  I  don't  know.  I  can't 

recall  back  then  if  it  had  a  password  on  it  at  that  time.  We 
downloaded  the  whole  investigation  we  put  on  this  portal  site,  so. 

ATC [CPT  von  ELTEN] :  Your  Honor,  the  government  moves  to  admit 
Prosecution  Exhibit  91  for  Identification  into  evidence. 

ADC [MAJ  HURLEY]  No  objection,  ma'am. 

MJ:  Prosecution  Exhibit  91  for  Identification  is  admitted.  May 

I  see  it? 

ATC [CPT  von  ELTEN] :  Thank  you,  Mr.  Moser. 

MJ:  Cross-examination? 

ADC [MAJ  HURLEY]  Yes,  ma'am. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [MAJ  HURLEY] : 

Q.  Good  afternoon,  Mr.  Moser. 

A.  Good  afternoon,  sir. 

Q.  The  use  of  SharePoint  in  CENTCOM,  that  was  something  that 
was  directed  to  be  used? 

A.  Each  division  or  section  could  use  it  as  they  see  [sic] 
fit.  Some  people  use  it  as  a  collaboration  tool,  some  people  use  it 
as  storage  site  for  information,  kind  of  as  you  see  fit.  Back  then 
it  wasn't  a  mandate  that  you  - 

Q.  Had  to  use  it? 
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A.  -  had  to  use  it. 

Q.  You  said,  when  you  talked  to  Captain  von  Elten,  you  go  on 
the  website  fairly  frequently? 

A.  Yes,  sir. 

Q.  Do  you  ever  go  to  any  other  staff  sections  - 

A.  Yes,  sir. 


Q.  - pages? 

A.  Yes,  sir.  Are  you  talking  currently? 

Q.  No,  let's  go  back  in  2009,  the  same  timeframe  that  Captain 
von  Elten  was  talking  about? 

A.  Yes,  sir. 

Q.  You  went  on  those  other  sections? 

A.  I  went  on  others  directorates  and  staff's  websites;  yes. 


sir. 


Q.  Not  to  force  you  to  do  a  class  on  the  structure  of  the 
Central  Command,  but  the  Central  Command  is  a  very  robust 
headquarters,  correct? 

A.  Yes,  sir. 

Q.  It  has  all  the  normal  staff  sections  that  you  would 
associate  with  the  headquarters  of  that  size? 

A.  Correct. 

Q.  Personnel,  correct? 

A.  Correct.  We  had  a  J-l  we  called  it. 
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Q.  Right.  J-2  with  intelligence? 

A.  Correct. 

Q.  Plans  J-5,  J-3  current  operations? 

A.  Yes,  sir. 

Q.  All  of  those.  And  would  you  have  occasion  in  this  time 
period  to  go  to  those  particular  pages? 

A.  Yes,  sir.  A  lot  of  times  if  I  do  legal  research,  for 
example,  I  would  go  on  the  J-3  ops,  they  had  a  site  that  had  —  I 
could  do  research  on  FRAGOs  or  OPORDs  or  things  like  that.  A  lot  of 
information  like  that  was  out  on  the  other  sites  I  can  get  to. 

Q.  And  the  robust  use  of  SharePoint,  the  use  of  SharePoint 
anyway  was  something  that  all  staff  sections  were  doing,  hanging 
information  on  there,  using  it  for  their  own  use  or  hanging  out  there 
for  anyone  that  could  get  on  the  site? 

A.  They  would  push  stuff  out  there.  But  they,  like  I  said, 
each  section  controlled  the  permission  level.  So,  a  lot  of  stuff  I 
wouldn't  have  access  or  know  it  was  out  there.  I  might  not  see  it. 

It  depends  on  —  I  wouldn't  know  what  other  sections  —  what  stuff  I 
couldn't  see  I  wouldn't  know  what's  out  there. 

Q.  Right.  You  wouldn't  know  until  you  get  into  --  until  you 
started  - 
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1  A.  Until  somebody  gave  me  permissions  or  somebody  told  me 

2  about  a  site  and  I  could  ask  for  permission  and  they  would  give  it  to 

3  me  to  get  to  it. 

4  Q.  But  you  assume  you  had  permission  if  you  could  go  on  there 

5  and  conduct  your  legal  research  or  looking  at  operations  orders  or 

6  FRAGOs  or  whatever? 

7  A.  You  could  but  the  way  SharePoint  works 

8  permission  level  on  something  and  I  do  a  search, 

9  search  on  the  sites  that  I  don't  have  access  to. 

10  site  exists  if  you  don't  have  certain  permission 

11  You  go  to  the  right  side  and  you  might  not  see  a 

12  somebody  else  that  has  permission  would  have  the 

13  particular  site. 


14 

ADC [MAJ  HURLEY] : 

Thanks, 

Mr.  Moser 

15 

WIT: 

Yes,  sir. 

16 

MJ: 

Redirect? 

17 

ATC [CPT  von  ELTEN] 

:  No,  Your 

■  Honor. 

18 

MJ: 

Temporary  or 

permanent 

excusal? 

19  ATC [CPT  von  ELTEN] :  Permanent,  ma'am.  Or  temporary,  ma'am. 

20  [The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 

21  the  courtroom.] 

22  MJ:  Please  call  your  next  witness. 


is  if  you  lock  down 
it  won't  pull  up 
You  won't  know  a 
levels  to  go  on  it. 
folder  there  or 
folder  on  that 
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1  TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  stipulations  for 

2  the  record.  Stipulation  of  Expected  Testimony  it  is  going  to  be  PE  - 

3  -  well,  three  in  a  row.  Your  Honor,  PE  73,  Prosecution  Exhibit  74  and 

4  Prosecution  Exhibit  75. 

5  MJ:  All  right.  Thank  you. 

6  TC [MAJ  FEIN]:  Ma'am,  Prosecution  Exhibit  73,  Stipulation  of 

7  Expected  Testimony  Mr.  James  Fung,  dated  7  June  2013. 

8  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

9  Trial  Counsel,  that  if  Mr.  James  Fung  were  present  to  testify  during 

10  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he  would 

11  testify  substantially  as  follows: 

12  I  currently  work  as  the  supervisor  of  the  Cyber  Security 

13  Operations  Group  at  Brookhaven  National  Laboratory  (BNL)  in  Upton, 

14  New  York.  This  Group  is  responsible  for  the  security  posture  of  BNL 

15  and  is  constituted  by  one  physical  site  where  multiple  BNL 

16  departments'  IT  directorates  centralize  their  security  operations. 

17  As  supervisor,  I  oversee  the  daily  operations  of  this  Group.  These 

18  operations  include  intrusion  detection,  audit  log  collections,  and 

19  Cyber  Security  Incident  Response  Team  (CSIRT)  activities.  Audit  log 

20  collection  entails  collecting  electronic  audit  logs,  which  track  the 

21  time/date  and  user  activities  of  individuals  using  BNL  computers. 

22  These  logs  are  used  to  analyze  the  BNL  system  for  security 

23  vulnerabilities  and  also  to  secure  data  regarding  suspected  security 


8285 


© 


J 


1  violations.  The  CSIRT  team  is  responsible  for  detecting,  responding 

2  to,  and  investigating  cyber  security  violations  as  well  as  pur  — 

3  pursuing  alleged  —  allegations  of  fraud,  waste,  and  abuse.  In  its 

4  work,  we  collaborate  with  the  BNL  human  resources  department,  on-site 

5  security,  and  law  enforcement.  I  have  held  my  supervisory  position 

6  for  6  years.  I  have  a  Bachelors  degree  in  IT  Management  and  am 

7  certified  as  a  Forensic  Analyst  by  the  computer  security  professional 

8  association  Global  Information  Assurance  Certification  (GIAC) . 

9  I  first  became  involved  in  this  case  after  CSIRT  members, 

10  whom  I  supervise,  alerted  me  that  the  desktop  work  station  of 

11  computer  —  excuse  me.  Your  Honor,  the  desktop  work  station  computer 

12  of  a  BNL  employee  identified  as  Mr.  Jason  Katz  had  been  used  contrary 

13  to  BNL  policy.  To  investigate  this  suspected  misuse,  two  members  of 

14  the  CISRT  team  collected  Mr.  Katz's  BNL  desktop  computer.  Based  on 

15  BNL's  report  to  federal  law  enforcement  officials,  investigators  in 

16  the  present  case  against  PFC  Manning  became  interested  in  the 

17  contents  of  the  BNL  desktop  computer  assigned  to  Mr.  Katz,  which  my 

18  team  collected.  No  rationale  for  this  interest  was  communicated  to 

19  me . 

20  Mr.  Katz  worked  as  a  Systems  Administrator  for  the  Physics 

21  Department  at  BNL.  He  was  hired  as  a  Junior  Systems  Administrator, 

22  and  was  employed  from  February  of  2009  until  March  of  2010.  His 

23  primary  responsibilities  were  to  help  maintain  the  computers  that 
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1  processed  data  for  our  Relativistic  Heavy  Ion  Collider  (RHIC)  as  well 

2  as  the  ATLAS  Computing  facility  (RACF) .  As  BNL  has  the  capacity  to 

3  process  large  amounts  of  data  through  one  —  through  our  super 

4  computer  systems,  Mr.  Katz  was  further  responsible  for  helping  to 

5  manage  the  queue  of  jobs  submitted  from  institutions  throughout  the 

6  world,  who  seek  BNL' s  assistance  in  processing  large  amounts  of  data. 

7  For  example,  research  universities  send  large  amounts  of  research 

8  data  to  us,  as  our  facility  can  process  data  with  the  power  of  500 

9  computers . 

10  Our  CSIRT  team  became  suspicious  of  Mr.  Katz  when  his 

11  desktop  computer  was  removed  from  our  BNL  network.  This  happens 

12  automatically  when  our  system  detects  that  the  BNL  computer  attached 

13  to  this  account  is  used  in  a  way  that  violates  BNL  user  agreements. 

14  When  a  machine  is  blocked  or  disconnected  from  our  BNL  network,  it  is 

15  no  longer  usable-including  for  work  purposes.  Mr.  Katz  approached 

16  our  office  to  have  his  desktop  reconnected  to  the  network  alleging 

17  that  he  had  been  kicked  off  after  accidentally  clicking  a  prohibited 

18  link  in  an  email  on  his  personal  account.  Following  this 

19  explanation,  we  reconnected  his  computer  to  the  network.  However, 

20  upon  considering  the  matter  further,  I  decided  this  was  unlikely 

21  given  the  activity  detected.  Accordingly,  I  notified  our  Laboratory 

22  Protection  —  Protective  Division  (LPD) ,  legal  department,  and  human 

23  resources  office  of  the  suspicious  activity  and  initiated  an 
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1  investigation.  Subsequently,  an  armed  LPD  officer  was  dispatched  to 

2  Mr.  Katz's  office.  I  further  dispatched  two  members  of  my  CSIRT  team 

3  to  respond.  Mr.  Withers  was  part  of  the  CSIRT  team.  He  was  the  team 

4  member  to  first  identify  the  suspicious  activity  associated  with  Mr. 

5  Katz's  BNL  desktop  computer.  Further,  given  Mr.  Withers  prior  BNL 

6  work  in  the  same  section  as  Mr.  Katz,  I  considered  Mr.  Withers 

7  knowledgeable  about  Mr.  Katz's  official  duty  position.  After 

8  collecting  Mr.  Katz's  computer,  Mr.  Withers  delivered  the  machine  to 

9  our  secure  forensic  laboratory  to  be  forensically  imaged  by  Mr. 

10  McManus. 

11  Access  to  our  forensic  laboratory  is  secured  by  access  key 

12  card.  Only  members  of  our  Cyber  Security  Group  have  this  access. 

13  Further,  the  lab  contains  a  safe  used  to  house  evidence  securely. 

14  This  safe  can  only  be  accessed  when  a  key  and  pass  code  are  used  in 

15  conjunction.  Only  two  people  hold  this  key;  myself  and  a  colleague, 

16  who  is  also  a  member  of  the  Cyber  Security  Group.  Only  members  of 

17  the  Cyber  Security  Group  have  pass  codes  to  the  safe. 

18  Later  my  team  searched  the  forensic  image  created  by  Mr. 

19  McManus.  Our  search  revealed  the  presence  of  password  cracking 

20  programs,  which  are  commonly  used  to  break  file  passwords.  To  the 

21  best  of  my  knowledge,  there  is  no  reason  Mr.  Katz  would  need  these 

22  programs  for  work  purposes.  I  later  confirmed  this  understanding 

23  with  Mr.  Katz's  then  supervisor  Mr.  Chan.  I  do  not  recall  seeing 
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1  anything  related  to  WikiLeaks  on  Mr.  Katz's  computer.  This  would 

2  have  been  before  I  had  heard  of  WikiLeaks,  so  I  do  not  know  if  I 

3  could  remember  if  I  had  did  —  if  I  did. 

4  At  no  point  during  the  detection  of  suspicious  activity  or 

5  the  ensuing  investigation  and  examination  did  I  alter  Mr.  Katz's  BNL 

6  computer,  its  hard  drive,  its  other  components,  or  its  contents  in 

7  any  way.  Furthermore,  I  never  altered  any  forensic  image  made  from 

8  the  computer  in  any  way.  At  no  point  did  I  observe  anyone  after  — 

9  alter  the  computer,  its  hard  drive,  its  other  components,  or  it 

10  contents  in  any  way.  Likewise,  I  have  no  reason  to  believe  the 

11  evidence  was  damaged  or  contaminated  in  any  way. 

12  Your  Honor,  Stipulation  of  Expected  Testimony  of  Mr.  Alex 

13  Withers,  dated  7  June  2013,  PE  74. 

14  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

15  Trial  Counsel,  that  if  Mr.  Alex  Withers  were  present  to  testify 

16  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 

17  would  testify  substantially  as  follows: 

18  I  currently  work  as  an  Investigator  in  the  IT  Division  of 

19  Brookhaven  National  Laboratory  (BNL)  in  Upton,  NY.  Specifically,  I 

20  am  part  of  a  Cyber  Security  Incident  Response  Team  (CSIRT) .  I  have 

21  held  this  position  for  5  years  since  September  of  2008.  Prior  to 

22  that,  I  worked  as  an  Advanced  Technology  Engineer,  responsible  for 

23  helping  to  maintain  the  computers  that  process  data  for  our  Real  — 
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1  Relativistic  Heavy  Ion  Collider  (RHIC)  as  well  as  the  ATLAS  Computing 

2  Facility  (RACF) .  BNL  has  the  capacity  to  process  large  amounts  of 

3  data  through  our  super  computer  systems.  Accordingly,  in  my  previous 

4  position,  I  was  further  responsible  for  helping  to  manage  the  queue 

5  of  jobs  submitted  from  institutions  throughout  the  world,  who  seek 

6  BNL's  assistance  in  processing  large  amounts  of  data.  I  held  that 

7  position  for  4  years. 

8  I  hold  a  Bachelors  and  a  Masters  degree  in  Computer 

9  Science.  I  also  hold  three  celtif ications  from  the  computer  security 

10  professional  association  Global  Information  Assurance  Certif  — 

11  Certification  (GIAC) ;  one  in  Forensic  Analysis,  one  in  Incident 

12  Handling,  and  one  in  Intrusion  Analysis. 

13  I  first  became  involved  in  this  case  after  I  discovered 

14  suspicious  activity  on  the  desktop  work  station  computer  assigned  to 

15  a  BNL  employee  identified  as  Mr.  Jason  Katz.  Based  on  BNL's  report 

16  to  federal  law  enforcement  officials,  investigators  in  the  present 

17  case  against  PFC  Manning  became  interested  in  the  contents  of  the  BNL 

18  desktop  computer  assigned  to  Mr.  Katz,  which  I  collected  and 

19  forensically  examined. 

20  In  my  CSIRT  position,  I  monitor  information  system  security 

21  for  BNL.  In  early  March  of  2009,  I  discovered  the  BNL  desktop 

22  machine  assigned  to  Jason  Katz  had  a  Firefox  extension.  An  extension 

23  is  a  program  that  runs  within  the  Firefox  internet  browser  and  that 
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1  enhances  the  user's  abilities.  For  example,  an  extension  could  allow 

2  a  user  to  project  his/her  Internet  Protocol  (IP)  to  a  different 

3  location,  and  route  through  a  different  IP  address,  so  that  his/her 

4  actions  on  the  web  would  appear  to  have  originated  in  that  location 

5  instead  of  the  user's  actual  location.  In  this  instance,  the 

6  extension  on  Mr.  Katz's  machine  implied  that  Mr.  Katz  had  bypassed 

7  BNL  proxy  servers  designed  to  monitor  BNL  computers'  internet 

8  traffic.  I  further  investigated  this  activity  by  reviewing  logs 

9  created  by  BNL  reporting  software.  This  review  revealed  that  Mr. 

10  Katz's  BNL  desktop  machine  had  a  large  amount  of  Secure  Shell  (SSH) 

11  traffic.  SSH  is  a  computer  protocol,  or  computer  communication 

12  language,  that  facilitates  secure  or  encrypted  communications.  This 

13  information,  when  taken  in  conjunction  with  my  review  of  BNL  firewall 

14  logs,  suggested  that  Mr.  Katz  was  transferring  files  between  his  BNL 

15  machine  and  another  computer  outside  his  home  using  an  SSH,  or 

16  encrypted,  connection.  I  know  the  network  to  which  he  connected  was 

17  not  his  home  computer,  as  the  IP  address  to  which  this  connection  was 

18  made  did  not  match  his  home  IP  address.  While  I  could  not  tell  which 

19  types  of  files  were  transferred,  having  previously  occupied  a  duty 

20  position  responsible  for  many  of  the  same  activities  as  Mr.  Katz  was 

21  then  responsible,  I  know  it  is  possible  for  a  user  in  Mr.  Katz's 

22  position  to  have  hidden  files  in  the  BNL  system  and  to  have  used  the 

23  BNL  computing  power  to  run  personal  tasks.  For  example,  the  BNL 
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1  super  computer  power  could  significantly  reduce  the  amount  of  time  it 

2  would  take  to  decrypt  an  encrypted  file  without  a  password.  I  also 

3  know  that  the  BNL  desktop  CD-R  W  and  USB  drives  would  have  been 

4  enabled  on  his  work  computer.  These  could  have  been  used  to  transfer 

5  data  onto  removable  media. 

6  This,  and  other  suspicious  activity,  resulted  in  further 

7  investigation.  Ultimately,  our  system  detected  that  Mr.  Katz's 

8  computer  had  accessed  a  website  known  to  contain  pirated  files.  We 

9  were  able  to  find  this  because  Mr.  Katz  upgraded  to  a  web  browser 

10  that  had  a  bug  that  allowed  me  to  see  what  websites  Mr.  Katz  was 

11  visiting.  Pirated  files  are  illegally  obtained  files.  I  cannot 

12  recall  all  of  the  websites  visited  by  Mr.  Katz.  The  only  one  that  I 

13  remember  specifically  is  Pirate  Bay,  a  website  that  allows  for  the 

14  improper  downloading  of  movies  and  other  entertainment  media.  As 

15  this  was  against  user  agreement  policy,  the  BNL  system  automatically 

16  blocked  Mr.  Katz's  desktop  computer-essentially  removing  it  from  the 

17  BNL  system.  The  ensuing  investigation  included  the  collection  of  Mr. 

18  Katz's  BNL  desktop  computer  for  forensic  imaging  and  further 

19  investigation.  I  know  this  because  I  was  part  of  the  team  to  report 

20  the  initial  suspicious  activity  to  my  supervisor  Mr.  James  Fung.  I 

21  then  met  with  and  accompanied  responding  law  enforcement  personnel  to 

22  Mr.  Katz's  workstation  for  the  collection  of  his  computer.  Mr.  Katz 

23  was  present  at  the  time  we  obtained  the  BNL  computer.  It  was  a  Dell 
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1  Optiplex  960  computer  with  a  Linux  operating  system,  bar  code  number 

2  138694.  At  the  time  of  collection,  we  checked  to  make  sure  the 

3  computer  did  not  contain  any  removable  media  devices  such  as  a  thumb 

4  drive.  Then,  my  CSIRT  colleagues  and  I  accompanied  that  computer  to 

5  the  forensic  laboratory  for  forensic  imaging  by  Mr.  James  McManus. 

6  Mr.  McManus  is  an  IT  Architect  at  BNL. 

7  Following  this  imaging  process,  our  Cyber  Security  Team 

8  further  examined  this  forensic  image.  I  know  our  team  examined  it 

9  because  I  participated  in  that  examination.  Our  investigation 

10  revealed  that  Mr.  Katz  had  password  cracking  software  on  his  BNL 

11  desktop  computer.  Additionally,  the  computer  housed  at  least  part  of 

12  an  encrypted  .zip  file,  which,  it  appeared,  Mr.  Katz  had  attempted  to 

13  break  into  or  decrypt  using  the  brute  force  attack  method.  The  brute 

14  force  attack  method  means  using  a  computer-generated  or  pre-generated 

15  list  of  possible  passwords  to  crack  an  unknown  password  by  running 

16  different  passwords  against  the  file  one  at  a  time  at  a  very  fast 

17  rate.  We  did  not  have  the  password  to  this  file  and  so  could  not 

18  open  it.  Our  search  also  revealed  movies  that  had  been  downloaded 

19  and  saved  to  Mr.  Katz's  work  computer.  I  do  not  recall  whether 

20  WikiLeaks  was  mentioned  in  any  way  on  Mr.  Katz's  computer.  This  was 

21  prior  to  my  having  heard  of  WikiLeaks,  so  I  may  not  have  noticed  its 

22  significance  at  the  time. 
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1  At  no  time,  prior  to,  during,  or  after  the  collection  of 

2  Mr.  Katz's  BNL  computer  did  I  alter  its  hard  drive,  its  other 

3  components,  or  its  contents  in  any  way.  Furthermore,  I  never  altered 

4  any  forensic  image  made  from  this  computer  in  any  way.  At  that  —  At 

5  no  point  did  I  observe  anyone  alter  the  computer,  its  hard  drive,  its 

6  other  components,  or  its  contents  in  any  way.  Likewise,  I  have  no 

7  reason  to  believe  the  evidence  was  damaged  or  contaminated  in  any 

8  way. 

9  Your  Honor,  last  and  final  for  right  this  iteration. 

10  Prosecution  Exhibit  75.  A  Stipulation  of  Expected  Testimony  from  Mr. 

11  James  McManus,  dated  7  June  2013. 

12  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

13  Trial  Counsel,  that  if  Mr.  James  McManus  were  present  to  testify 

14  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 

15  would  testify  substantially  as  follows: 

16  I  currently  work  as  an  IT  Architect  at  Brookhaven  National 

17  Laboratory  (BNL)  in  Upton,  New  York.  In  this  capacity,  I  perform 

18  forensic  imaging  of  the  computers  our  Cyber  Security  Team  confiscates 

19  and  perform  forensic  analysis  of  those  computers  with  Windows 

20  operating  systems.  I  also  control  anti-virus  for  the  approximately 

21  5,000  computers  connected  to  the  BNL  system,  and  run  penetration 

22  testing  on  BNL  servers  to  ensure  they  are  secure.  I  work  with  Mr. 

23  Alex  Withers.  Mr.  James  Fung  is  my  supervisor.  I  have  held  this 
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1  position  for  2  years.  For  the  5  preceding  years,  my  job  title  was 

2  Senior  Engineer;  however,  my  responsibilities  have  remained  the  same. 

3  I  have  worked  at  BNL  for  30  years,  and  have  worked  with  the  Cyber 

4  Security  Group  for  10  of  those  years.  For  the  past  5  years,  I  have 

5  attended  at  least  one  System  Administration  Network  Security  (SANS) 

6  course  on  network  security  and  forensic  examination  per  year.  The 

7  courses  also  cover  how  to  handle  digital  evidence. 

8  I  first  became  involved  in  this  case  after  forensically 

9  imaging  the  hard  drive  of  a  desktop  work  station  computer  of  a  BNL 

10  employee  identified  as  Mr.  Jason  Katz,  which  had  been  collected  upon 

11  suspicion  of  having  been  used  contrary  to  BNL  policy.  Based  on  BNL's 

12  report  to  federal  law  enforcement  officials,  investigators  in  the 

13  present  case  against  PFC  Manning  became  interested  in  the  contents  of 

14  the  BNL  desktop  computer  assigned  to  Mr.  Katz,  which  I  processed. 

15  On  24  February  2010,  I  received  a  Dell  Optiplex  960  desktop 

16  computer  assigned  to  Mr.  Katz  from  Mr.  Alex  Withers.  After  receiving 

17  the  computer,  I  secured  it  in  our  evidence  safe  in  our  secure 

18  forensic  evidence  laboratory.  The  lab  is  accessible  only  to  the  six 

19  BNL  Cyber  Security  team  members,  who  must  use  secure  key  card  to  gain 

20  entry.  A  key  and  pass  code  are  required  to  open  the  safe.  It  is 

21  only  accessibly  if  either  Mr.  Fung  or  his  associate,  who  also  works 

22  in  our  Cyber  Security  Group,  are  present,  as  they  are  the  only 
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1  individuals  with  the  required  key.  Only  Cyber  Security  Group  members 

2  have  the  required  pass  code. 

3  On  25  February  2010,  while  in  our  secure  forensic  evidence 

4  laboratory,  I  removed  the  hard  drive  from  the  Dell  Optiplex  960  BNL 

5  desktop  computer  collected  from  Jason  Katz.  I  obtained  a  forensic 

6  image  of  this  hard  drive  using  the  program  FTK  imager.  I  followed 

7  standard  imaging  procedures  on  which  I  have  been  trained  and  which  I 

8  have  used  before. 

9  A  forensic  image  of  an  item  of  digital  media  is  an  exact 

10  copy  of  the  data  on  the  digital  media.  Digital  forensic  examiners 

11  image  devices  so  that  the  originally-collected  device  can  be  for 

12  identification  forensically  examined  without  risking  contamination  of 

13  the  original  data.  This  is  standard  practice  by  digital  forensic 

14  examiners.  The  software  forensic  examiners  use  to  image  the  digital 

15  evidence  has  built  in  procedures  to  verify  that  the  item  has  been 

16  successfully  duplicated.  For  example,  the  program  will  note  the  MD5 

17  hash  or  Secure  Hash  Algorithm  I  (SHAl)  hash  value  of  an  item  of 

18  digital  evidence  before  imaging  (acquisition  hash  value)  and  after 

19  imaging  the  items  (verification  hash  value) .  If  the  two  hash  values 

20  match,  the  item  has  been  successfully  duplicated  bit-for-bit.  The 

21  hash  value  is  determined  by  mathematical  algorithm  and  is  displayed 

22  as  a  number/letter  identifier  unique  to  every  item  of  electronically 

23  stored  information.  It  is  the  equivalent  of  a  digital  fingerprint. 
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1  When  the  hash  value  is  generated,  the  entire  hard  drive  will  have  a 

2  hash  value,  as  well  as  each  individual  file  on  the  hard  drive.  If 

3  there  is  any  alteration  to  the  hard  drive  or  to  any  file  on  the  hard 

4  drive,  the  acquisition  and  verification  hash  values  will  not  match. 

5  The  alteration  can  be  as  small  as  adding  a  single  space  into  text 

6  document  or  saving  the  data  to  a  different  size  device.  In  this 

7  case,  I  used  FTK  Imager  forensic  software  to  complete  this  imaging 

8  process.  FTK  Imager  is  similar  to  EnCase  and  is  widely  used  by 

9  digital  forensic  examiners.  I  also  used  a  write  blocker  when  imaging 

10  this  device  in  order  to  ensure  the  originally  collected  evidence  was 

11  not  altered  in  any  way.  As  I  stated  earlier,  I  have  received 

12  training  on  FTK  Imager  and  have  used  it  in  my  other  work.  I 

13  encountered  no  errors  while  conducting  the  imaging  of  the  evidence  at 

14  issue  in  this  case 

15  I  processed  a  BNL-owned  laptop  —  excuse  me.  Your  Honor,  I 

16  processed  a  BNL-owned  Dell  Optiplex  960  desktop  computer  hard  drive 

17  with  Linux  operating  system,  serial  number  9SZ3MBE3,  bar  code  138694. 

18  I  made  a  forensic  image  of  this  drive  for  our  lab's  internal 

19  examination.  In  doing  so,  I  identified  the  SHA1  hash  value  of  the 

20  hard  drive  collected  to  be  60a5cd8caf580f7clbba415f793550a7349aflbc. 

21  At  no  point  during  my  handling  of  the  evidence  in  question  did  I 

22  alter  the  computer,  its  hard  drive,  its  other  components,  or  its 

23  contents  in  any  way.  At  no  point  did  I  observe  anyone  alter  the 


8297 


o 


o 


1  computer,  its  hard  drive,  its  other  components,  or  its  contents  in 

2  any  way.  I  have  no  reason  to  believe  the  evidence  was  damaged  or 

3  contaminated  in  any  way. 

4  ATC [CPT  MORROW]:  The  United  States  recalls  Special  Agent  Dave 

5  Shaver. 

6  SPECIAL  AGENT  DAVID  SHAVER,  was  recalled  as  a  witness  for  the 

7  prosecution,  was  reminded  he  was  still  under  oath,  and  testified  as 

8  follows : 

9  DIRECT  EXAMINATION 

10  Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

11  Q.  Did  you  examine  an  image  of  a  computer  seized  from  an 

12  individual  Jason  Katz? 

13  A.  Yes,  sir,  I  did. 

14  Q.  Why  were  you  asked  to  examine  the  computer? 

15  A.  Sir,  I  was  asked  to  examine  the  computer  to  determine  the 

16  presence  of  a  file  called  B.zip. 

17  Q.  Before  you  began  your  examination,  did  you  ensure  that  the 

18  examination  was  forensically  sound? 

19  A.  Yes,  sir.  I  verified  the  hash  values  matched  and  I  started 

20  my  examination. 

21  Q.  And  first,  before  we  get  into  the  B.zip,  what  kind  of 

22  computer  was  this? 

23  A.  Sir,  this  was  a  Linux  computer. 
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1 

Q. 

What  is  Linux? 

2 

A. 

Sir,  that's  just 

an  operating  system. 

3 

Q. 

Did  you  find  the 

B.zip  file? 

4 

A. 

Yes,  sir;  I  did. 

There  was  one  user  account  on  the 

5  computer.  The  users  name  was  Kupo,  K-U-P-O,  within  that  user 

6  profile,  the  file  b.zip  was  present. 

7  MJ:  What  was  the  user's  name? 

8  WIT:  Kupo,  K-U-P-O. 

9  MJ:  Thank  you. 

10  Q.  Can  you  please  spell  out  b.zip? 

11  A.  Yes,  sir,  the  letter  B.ZIP. 

12  Q.  Thank  you.  Did  this  zip  file  have  any  security  protections 

13  on  it? 

14  A.  Yes,  sir.  It  was  --  it  had  a  password. 

15  Q.  What  do  you  mean?  If  it  had  a  password,  how  would  I  open 

16  this  file  essentially? 

17  A.  Sir,  it  was  a  zip  file  so  if  you  double  click  on  it,  it 

18  would  ask  you  for  the  password. 

19  Q.  Now,  if  I  double  clicked  on  the  zip  file,  would  I  be  able 

20  to  see  the  contents  of  the  file? 

21  A.  You  can  see  the  file  listing,  yes,  sir;  but  not  actually 

22  the  —  you  couldn't  actually  see  the  movie  inside. 
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Q.  Okay.  So  if  I  tried  to  double  click  again  on  the  movie 
inside  I  wouldn't  be  able  to  open  it? 

A.  Correct. 

Q.  And  how  complicated  was  this  password? 

A.  Sir,  the  password  was  complicated.  It  had  both  upper  case, 
lower  case,  numbers  and  symbols  within  the  password. 

Q.  And  how  did  you  get  the  password  to  open  this  file? 

A.  The  password  was  provided  to  me  by  another  CCIU  agent. 

Q.  And  where  had  that  password  been  collected  from? 

A.  CENTCOM  itself. 

Q.  And  what  was  inside  the  B.zip  file? 

A.  There  was  a  movie  file,  BE22PAX.wmv. 

Q.  And  what  is  .wmv? 

A.  That's  a  Windows  media  file.  It's  a  movie. 

Q.  And  have  you  seen  this  movie  file  before? 

A.  I  had,  sir. 

Q.  And  when  had  you  seen  this  movie  file? 

A.  Sir,  in  examination  of  the  CENTCOM  server  —  SharePoint 
Server  itself,  I  noticed  it  there  and  viewed  it  there  as  well. 

Q.  Now,  where  on  the  CENTCOM  server? 

A.  There’s  a  folder  concerning  the  SJA  investigations  on  a 
subfolder  called  Farah. 
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Q.  I'm  retrieving  what's  been  admitted  as  Prosecution  Exhibit 
65.  Agent  Shaver,  if  I  can  ask  you  to  move  over  to  the  panel  box  and 
if  you  would  just  sit  in  front  of  my  presentation. 

A.  Yes,  sir. 

MJ:  Is  that  Prosecution  Exhibit  65? 

ATC [CPT  MORROW]:  65,  ma'am. 

Q.  I'm  handing  you  Prosecution  Exhibit  65.  If  you  would  just 
take  a  couple  moments  to  look  through  it. 

[There  was  a  brief  pause  while  the  witness  read  through  the  exhibit.] 

Q.  Do  you  recognize  that  document? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  Sir,  it  is  a  file  listing  of  the  contents  of  the  Farah 
investigation  folder. 

Q.  What  does  a  file  listing  tell  you  or  show  you? 

A.  The  file  names  and  folders  of  that  directory. 

Q.  Can  you  —  Just  using  that  can  you  find  where  the 

BE22PAX.wmv,  where  that  movie  file  was  located,  using  the  file 
listing? 

A.  Yes,  sir. 

Q.  And  where  is  it? 

A.  It's  at  the  end,  sir,  it's  an  alphabetical  listing.  The 
folder  is  under  a  folder  called  videos  and  it's  - 
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Q.  Is  there  a  subfolder  under  videos? 

A.  No,  sir  there  is  not.  It's  Farah  videos  and  then  the  file 
name  is  BE22PAX  and  that's  it. 

Q.  So  the  WMV  is  within  the  dot  zip? 

A.  Yes,  sir. 

MJ:  Yes. 

ADC [CPT  TOOMAN] :  Your  Honor,  the  defense  will  stipulate  that 

the  video  on  the  computer  of  Jason  Katz  and  the  video  on  the  CENTCOM 
server  are  the  same  if  that's  where  prosecution  is  going. 

ATCtCPT  MORROW]:  That's  where  we  are  going.  Your  Honor. 

MJ:  Okay. 

ATC[CPT  MORROW]:  Just  a  couple  more  questions.  I'll  just 

retrieve  the  exhibit  back  and  you  can  move  back  to  the  witness  stand. 
Q.  Did  you  watch  the  BE22PAX.wmv? 

A.  Yes,  sir. 

Q.  What  did  the  movie  depict? 

A.  It  depicted  a  aircraft  over  a  battle  space. 

Q.  Did  this  particular  movie  file  depict  any  airstrikes? 

A.  No,  sir. 

Q.  Did  you  observe  any  explosions  in  this  movie  file? 

A.  No,  sir. 

Q.  How  do  you  know? 

A.  I  watched  it. 
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Q.  Did  you  watch  —  you  watched  both  versions? 

A.  Yes,  sir. 

Q.  Agent  Shaver,  was  there  any  metadata  associated  with  the 
.zip  file  on  Mr.  Katz's  computer? 

A.  Yes,  sir. 

Q.  Can  you  explain  what  metadata  is  first  before  you  answer? 

A.  Yes,  sir.  Metadata  is  information  on  information.  In  this 
case  it  would  be,  I  believe  you're  talking  about  the  file  creation 
date . 

Q.  Yes,  sir. 

A.  The  file  creation  of  this  file  was  15  December  2009. 

Q.  And  what  does  that  mean  to  you? 

A.  That  means  someone  copied  the  file  to  this  computer  on  15 
December  2009. 

Q.  And  during  your  examination  of  this  computer,  did  you 
observe  any  other  activity  of  interest? 

A.  Yes,  sir.  There  was  a  —  The  user  of  this  account  was 
attempting  to  decrypt  the  file  or  get  the  password  of  the  zip  file. 

Q.  How  do  you  know? 

A.  From  a  few  things.  There's  a  folder  called  —  There  was  a 
history  file  that  captured  the  commands  that  were  issued,  the 
downloading  of  an  open  source,  password  cracking  utility  and  several 
dictionaries  to  help  facilitate  the  password  cracking. 
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Q.  Why  would  the  dictionaries  help  facilitate  password 
cracking? 

A.  There's  —  A  dictionary  hack  is  a  common  methodology  for 
decrypting  files.  It  would  use  words  that  have  already  been  generate 
common  words  and  use  that  as  a  source  to  guess  the  passwords. 

ATC [CPT  MORROW]:  Thank  you. 

M J :  Cross-examination? 

ADC [CPT  TOOMAN] :  Can  I  have  a  minute.  Your  Honor? 

MJ:  Yes. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Good  afternoon.  Agent  Shaver. 

A.  Hooah,  sir. 

Q.  Just  a  few  questions  for  you. 

A.  Yes,  sir. 

Q.  You  testified  on  direct  that  you  compared  the  video  on  the 
Jason  Katz's  computer  to  the  video  on  the  CENTCOM  server? 

A.  Yes,  sir. 

Q.  Now,  they  were  both  —  both  on  the  Katz  computer  and  the 
CENTCOM  server,  both  of  those  files  were  in  the  zip  folder,  correct? 
A.  Correct. 

Q.  And  the  zip  folders  had  different  hash  values,  correct? 

A.  That's  correct. 
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Q.  But  the  video  inside,  those  had  the  same  hash  value? 

A.  Yes,  sir. 

Q  So  it's  possible  for  the  zip  folder  to  have  a  different 
hash  value  but  then  the  files  inside  to  have  the  same  hash  value? 

A.  Yes,  sir. 

Q.  Okay.  And  you  testified  that  Jason  Katz  somehow  placed 
that  file  on  his  computer  on  15  December,  correct? 

A.  The  user  account  did,  yes. 

Q.  The  user  account.  Okay.  But  you  don't  know  how  it  got 
there? 

A.  No,  sir. 

Q.  It  could  have  been  a  CD,  it  could  have  been  —  could  have 
been  a  CD? 

A.  Yes,  sir. 

Q.  It  could  have  been  a  download? 

A.  Anything  is  possible. 

Q.  So  there  are  a  lot  of  different  ways  that  that  file  could 
have  been  placed  on  the  computer? 

A.  Yes,  sir. 

Q.  Now,  when  you  were  performing  your  forensic  examination  of 
Mr.  Katz's  computer,  you  found  something  called  Secure  Shell  on 
there,  correct? 

A.  Correct. 
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Q.  Could  you  explain  for  the  Court  what  Secure  Shell  is? 

A.  Sure.  That  is  a  secure  communication  method.  It's  an 
encrypted  tunnel  between  two  computers.  One  can  issue  commands  from 
one  computer  to  another. 

Q.  So  Secure  Shell  would  allow,  could  potentially  allow  a 
person-to-person  to  communicate  between  their  system  at  work  and  the 
system  at  home  for  example? 

A.  Sure. 

Q.  Now,  when  you  were  performing  the  forensics  on  Mr.  Katz's 
computer  you  looked  at  everything,  correct? 

A.  Yes,  sir. 

Q.  You  looked  at  e-mails? 

A.  Correct.  I  let  it  search  the  whole  drive;  yes,  sir. 

Q.  You  searched  the  whole  drive  and  when  you  were  doing  your 
forensic  examination  of  Mr.  Katz's  computer,  you  looked  for  things 
related  to  my  client,  correct? 

A.  Yes,  sir. 

Q.  But  you  didn't  find  anything  related  to  my  client,  correct? 

A.  That's  correct. 

Q.  There  weren't  e-mails  between  Mr.  Katz  and  PFC  Manning? 

A.  Correct. 

Q.  There  weren't  chats  between  Mr.  Katz  and  PFC  Manning? 

A.  Correct. 
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1  Q.  In  fact  your  investigation  revealed  absolutely  no 

2  connection  whatsoever  between  Jason  Katz  and  my  client? 

3  A.  That  is  correct. 

4  ADC [CPT  TOOMAN] :  Nothing  further.  Thank  you. 

5  MJ:  Redirect? 

6  ATC [CPT  MORROW]:  No,  Your  Honor. 

7  MJ:  All  right. 

8  [The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 

9  the  courtroom.] 

10  ATC [  CPT  von  ELTEN] :  Your  Honor,  I  have  the  Stipulation  of 

11  the  Expected  Testimony  of  Mr.  Wyatt  Bora  dated  10  June  2013. 

12  MJ:  That's  Appellate  Exhibit  —  or,  I'm  sorry  Prosecution 

13  Exhibit? 

14  ATC [CPT  von  ELTEN]:  Prosecution  Exhibit  115. 

15  MJ:  Thank  you. 

16  ATC [CPT  von  ELTEN]:  It  is  hereby  agreed  by  the  Accused,  Defense 

17  Counsel,  and  Trial  Counsel,  that  if  Mr.  Wyatt  Bora  were  present  to 

18  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 

19  martial,  he  would  testify  substantially  as  follows: 

20  I  am  a  retired  Captain  in  the  United  States  Air  Force.  I 

21  served  on  active  duty  from  1987  to  2008.  I  have  a  Bachelor  of 

22  Science  in  Computer  Engineering  from  the  University  of  New  Hampshire 

23  in  1999.  I  have  a  Masters  in  Computer  Engineering  from  Rensselaer 


8307 


© 


9 


1  Polytechnic  Institute  in  2004.  In  the  Air  Force,  I  primarily  worked 

2  as  a  computer  engineer  and  a  manager  of  other  computer  engineers.  I 

3  also  wrote  computer  code  and  created  technical  software  solutions.  I 

4  created  interactive  lab  displays  with  speech  control.  I  managed  air 

5  operations  system  tests  and  development  for  command  and  control  of 

6  the  Air  Operations  Center.  I  also  worked  as  a  systems  engineer  on 

7  large  information  technology  (IT)  systems  designed  to  manage 

8  financial  transactions.  As  a  systems  engineer,  I  planned  IT  system 

9  architecture  to  ensure  the  system  worked  together,  managed 

10  requirements  and  costs,  and  scheduled  performance  tests. 

11  After  retiring  from  active  duty  in  2008,  I  began  working  at 

12  the  Air  Force  Research  Lab  in  Rome,  New  York,  as  a  civilian  working 

13  on  acquisition  of  command  and  control  IT.  At  the  Air  Force  Research 

14  Lab,  I  managed  other  IT  programs  with  a  focus  on  command  and  control 

15  applications  at  the  operational  level. 

16  In  January  2012,  I  became  the  Program  Manager  (PM)  for  the 

17  Combined  Information  Database  Network  Exchange  (CIDNE)  program.  As 

18  the  PM  for  CIDNE,  I  am  responsible  for  the  day-to-day  management  of 

19  the  entire  program.  I  am  responsible  for  finances,  to  include 

20  projecting  budgetary  requirements  and  meeting  the  program's  budget. 

21  I  am  also  responsible  for  ensuring  that  customer  needs  are  met. 

22  Customers  submit  change  requests  that  request  the  addition  of  a 

23  function  or  a  change  to  current  functionality.  I  make  sure  customer 
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1  functionality  needs  are  met.  Customers  also  submit  problem  reports 

2  that  note  bugs  and  flaws  in  the  system.  I  make  sure  that  these  bugs 

3  and  flaws  are  corrected. 


CIDNE  is  a  reporting  and  querying  system.  CIDNE  links 


4 


5  operations  information  with  intelligence  information  and  breaks  the 

6  traditional  stovepipe  separating  the  two  types  of  information.  In 

7  particular,  the  system  linking  intelligence  and  operations  systems 

8  breaks  down  stovepipes  between  the  2  (intelligence),  3  (operations), 

9  and  5  (planning)  shops.  This  linkage  of  operations  information  and 

10  intelligence  information  has  been  designed  to  provide  commanders  with 

11  fuller,  more  accurate  information  on  which  to  base  command  decisions, 

12  particularly  in  the  field. 

13  CIDNE  is  a  direct  reporting  system  for  the  United  States 

14  Central  Command  (USCENTCOM)  and  is  used  by  USCENTCOM  and  its 

15  subordinate  commands.  In  September  2007,  USCENTCOM  issued  FRAGO  09- 

16  1290  to  direct  all  units  to  use  CIDNE  for  report  creation.  As  a 

17  reporting  system,  CIDNE  allows  users  to  enter  information  into  a 

18  report.  There  are  approximately  130  types  of  CIDNE  reports.  Some  of 

19  the  130  types  of  CIDNE  reports  are  Human  Intelligence  (HUMINT) 

20  reports.  Human  Terrain  reports.  Counter  IED  (C-IED)  reports, 

21  Targeting  reports,  Socio-Cultural  reports.  Civil  Affairs  reports, 

22  Psychological  Operations  (PSYOP)  reports,  and  Significant  Activity 

23  (SIGACT)  reports.  One  of  the  reports  frequently  used  by 
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Servicemembers  in  the  field  is  the  SIGACT  reports.  A  SIGACT  is  a 
report  created  by  a  Servicemember  at  the  completion  of  a  mission. 

The  SIGACT  is  input  into  CIDNE  for  use  by  the  unit  that  completed  the 
mission  and  any  other  unit  with  authorized  access  to  CIDNE.  Of  the 
approximately  130  types  of  reports,  the  SIGACT  is  the  most  commonly 
used  report  on  CIDNE.  SIGACTs  constitute  approximately  24%  of  all 
reports  created,  depending  on  the  reporting  period. 

For  SIGACTs  and  other  reports,  CIDNE  requires  completeness. 
CIDNE  has  automatic  quality  assurance  built  into  the  database,  and  a 
user  cannot  complete  a  report  without  entering  information  into 
specified  fields.  Additionally,  CIDNE  has  manual  quality  control 
because  most  reports  are  reviewed  for  completeness  by  people  engaged 
in  quality  assurance.  The  quality  control  mechanisms  ensure  that  the 
reports  contain  sufficient  information  for  future  use.  Furthermore, 
CIDNE  reports  are  marked  according  to  their  classification,  including 
Unclassified,  Confidential,  and  Secret. 

CIDNE  is  also  a  querying  system  because  authorized  users 
can  search  the  database  for  previous  reports.  A  user  can  search  by 
keywords,  to  include  terms  and  topics,  dates,  and  locations.  This 
querying  system  allows  users  to  see  and  use  any  report  in  the  CIDNE 
system.  CIDNE  uses  database  administrators.  In  2009-10,  these 
administrators  were  on-site,  which  means  they  must  be  present  at  the 
physical  location  of  servers,  to  include  Iraq,  Afghanistan,  and 
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1  Tampa,  Florida.  CIDNE  is  a  complex  system  with  millions  of  line  of 

2  programming  code  due  to  the  volume  of  data.  In  particular,  creating 

3  the  structure  to  make  the  data  retrievable  (searchable)  requires 

4  significant  resources.  The  program  has  continually  employed 

5  approximately  20  to  30  or  more  programmers  to  develop,  maintain,  and 

6  debug  the  code  for  CIDNE  so  that  the  database  may  maintain  all  the 

7  different  reports,  including  SIGACTS  for  use  on  classified  networks. 

8  In  2007,  the  program  spent  approximately  $900,000  on  data  management 

9  in  Iraq.  In  2008,  the  program  spent  approximately  $1,000,000  on  data 

10  management  in  Iraq.  In  2009,  the  program  spent  approximately 

11  $4,200,000  on  data  management  in  Afghanistan  and  $1,800,000  on  data 

12  management  in  Iraq.  In  2010,  the  program  spent  approximately 

13  $3,600,000  on  data  management  in  Afghanistan.  In  2011,  the  program 

14  spent  approximately  $3,000,000  on  data  management  in  Afghanistan  and 

15  $570,0000  on  data  management  in  Iraq.  In  2012,  the  program  spent 

16  approximately  $5,000,000  on  data  management  in  Afghanistan.  These 

17  data  management  costs  are  directly  associated  with  keeping  the  data 

18  useable  on  the  classified  networks.  I  do  not  know  the  data 

19  management  costs  for  Iraq  for  2005,  2006,  2010,  and  2012,  and  I  do 

20  not  know  the  data  management  costs  for  Afghanistan  2005. 

21  CIDNE  has  undergone  constant  development  in  its  existence 

22  to  improve  its  functionality.  CIDNE  is  currently  being  developed  to 

23  save  costs  by  changing  its  configuration  to  permit  changes  to  reports 
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1  without  a  developer's  intervention  at  the  physical  location  of  the 

2  user.  Responses  to  change  requests  require  new  code  to  be  added. 

3  Depending  on  the  nature  of  the  change  request,  which  range  from 

4  adding  a  new  field  to  an  existing  report  to  creating  an  entirely  new 

5  report,  coding  development  can  take  anywhere  from  5  to  several 

6  hundred  hours.  These  developments  require  research  and  incur 

7  significant  costs.  In  2005,  the  program  spent  approximately 

8  $1,100,000  for  development  and  testing  in  Iraq  and  $1,800,000  in 

9  development  and  testing  in  the  Continental  United  States  (CONUS) .  In 

10  2006,  the  program  spent  approximately  $1,770,000  for  development  and 

11  testing  in  Iraq  and  $790,000  in  development  and  testing  in  CONUS.  In 

12  2007,  the  program  spent  approximately  $1,320,000  for  development  and 

13  testing  in  Iraq  and  $1,810,000  in  development  and  testing  in  CONUS. 

14  In  2008,  the  program  spent  approximately  $950,000  for  development  and 

15  testing  in  Afghanistan,  $2,690,000  for  development  and  testing  in 

16  Iraq,  and  $3,610,000  in  development  and  testing  in  CONUS.  In  2009, 

17  the  program  spent  approximately  $2,760,000  for  development  and 

18  testing  in  Afghanistan,  $3,280,000  for  development  and  testing  in 

19  Iraq,  and  $5,500,000  in  development  and  testing  in  CONUS.  In  2010, 

20  the  program  spent  approximately  $4,200,000  for  development  and 

21  testing  in  Afghanistan,  2,600,000  --  260  —  $2,650,000  for 

22  development  and  testing  in  Iraq,  and  $4,980,000  in  development  and 

23  testing  in  CONUS. 
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1  To  gain  access  to  CIDNE,  a  user  first  needs  to  be 

2  authorized  to  access  an  IT  system.  Second,  a  user  needs  to  be 

3  authorized  to  use  a  network  domain  authorized  to  host  CIDNE.  CIDNE 

4  and  SIGACTs  within  CIDNE  are  only  available  on  classified  networks. 

5  All  classified  domains  on  which  CIDNE  exists  require  a  security  —  a 

6  security  clearance  to  access.  Finally,  a  user  must  be  authorized  to 

7  access  the  database.  A  user  can  obtain  access  only  if  he  has  a 

8  security  clearance  and  a  need  to  know  the  information  accessible  on 

9  CIDNE.  By  default,  CIDNE  is  read  only.  A  user  must  —  A  user  must 

10  apply  for  permission  to  be  granted  the  ability  to  create  reports  on 

11  CIDNE. 

12  CIDNE  currently  uses  12  Centrix  servers  and  9  SIPRNET 

13  servers.  During  2009  and  2010,  CIDNE  used  additional  servers.  Each 

14  server  costs  approximately  $48,000.  Servers  hosting  CIDNE-Iraq  were 

15  hosted  in  Iraq.  CIDNE-Af ghanistan  servers  were  and  are  located  in 

16  Afghanistan.  Some  servers  were  and  are  located  in  Tampa,  Florida. 

17  In  2007,  the  program  spent  approximately  $720,000  on  hardware  in 

18  Iraq.  In  2008,  the  program  spent  $560,000  on  hardware  in  Afghanistan 

19  and  $190,000  on  hardware  in  Iraq.  In  2009,  the  program  spent 

20  approximately  $1,660,000  on  hardware  in  Afghanistan  and  $520,000  on 

21  hardware  in  Iraq.  In  2010,  the  program  spent  $760,000  on  hardware  in 

22  Afghanistan.  In  2011,  the  program  approximately  spent  $180,000  on 
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1  hardware  in  Afghanistan.  In  2012,  the  program  spent  approximately 

2  $3,680,000  on  hardware  in  Afghanistan. 

3  Before  units  deploy,  they  receive  training.  As  PM,  I  am 

4  responsible  for  ensuring  the  proper  resources  are  in  place  to  support 

5  the  various  training  courses  offered  for  CIDNE.  The  courses  range 

6  from  1  day  to  2  weeks.  In  addition,  there  is  a  3-week  advanced 

7  course.  Also,  units  conducting  exercises  utilize  CIDNE  as  part  of 

8  that  training,  and  the  program  supports  the  needs  of  those  units.  In 

9  2005,  the  program  spent  approximately  $1,100,000  for  Irag  training. 

10  In  2006,  the  program  spent  approximately  $1,180,000  for  Irag  training 

11  and  $480,000  for  CONUS  training.  In  2007,  the  program  spent 

12  approximately  $2,570,000  for  Iraq  training  and  $200,000  for  CONUS 

13  training.  In  2008,  the  program  spent  approximately  $1,850,000  for 

14  Afghanistan  training,  $5,220,000  for  Iraq  training,  and  $1,550,000 

15  for  CONUS  training.  In  2009,  the  program  spent  approximately 

16  $5,360,000  for  Afghanistan  training,  $6,370,000  for  Iraq  training, 

17  and  $3,660,000  for  CONUS  training.  In  2010,  the  program  spent 

18  approximately  $8,140,000.00  for  Afghanistan  training,  $5,150,000  for 

19  Iraq  training,  and  $3,320,000  for  CONUS  training.  In  2011,  the 

20  program  spent  approximately  $18,410,000  for  Afghanistan  training, 

21  $2,650,000  for  Iraq  training,  and  $6,150,000  for  CONUS  training.  In 

22  2012,  the  program  spent  approximately  $8,790,000  for  Afghanistan 

23  training  and  $2,740,000  for  CONUS  training. 
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I  cannot  attribute  a  specific  amount  of  these  costs  for 
data  management,  development  and  testing,  hardware,  and  training  to 
any  specific  report.  None  of  these  costs  include  operational  unit 
costs . 

From  2005  through  2012,  the  CIDNE  program  spent 
approximately  $181,160,000  on  contracted  support  required  to  run  the 
program,  to  include  development,  training,  data  management,  and 
hardware.  In  addition,  from  2005  through  2012,  the  program  spent 
approximately  $5,434,800.00  on  program  management  support,  to  include 
government  testing,  administrative  oversight,  and  research  and 
development.  These  costs  support  the  development  and  maintenance  of 
CIDNE,  which  is  an  information  system.  The  hardware,  to  include 
servers  —  to  include  the  servers,  involves  significant  costs.  Over 
25  individuals  work  primarily  to  ensure  CIDNE  functions  correctly, 
and  their  salaries  are  primarily  derived  from  their  work  on  CIDNE. 

The  system  has  been  designed  and  developed  to  provide  robust  features 
to  provide  classified  information  to  commanders  in  combat 
environments.  The  information  is  valuable  because  the  system 
accumulates  different  types  of  information  in  one  place  for 
authorized  officials  to  access  and  review.  The  United  States  has 
dedicated  significant  resources  over  $185,000,000  to  CIDNE  because 
the  information  has  significant  value  to  commanders.  Year  to  year 
increases  in  spending  can  be  attributable  to  increased  troop  presence 
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1  in  a  given  nation.  CIDNE  has  been  designed  to  aid  commanders  in 

2  making  operational  decisions,  and  safety  of  operations  decisions  in 

3  particular,  based  on  CIDNE  data. 

4  At  no  time  was  the  SIGACT  information  charged  in  this  case 

5  unavailable  for  access  on  the  CIDNE  database.  Those  that  accessed 

6  the  SIGACT  database  before  May  of  2010  did  so  in  the  same  manner 

7  after  May  of  2010.  We  continue  to  use  the  SIGACTs  charged  in  this 

8  case  in  the  CIDNE  database.  To  the  best  of  my  knowledge,  the  United 

9  States  Government  has  never  made  these  databases  publically 


10 

available . 

11 

MJ: 

Okay. 

Thank  you. 

12 

ATC  [ 

CPT  von  ELTEN] :  I 

have  the  Stipulation 

of  Expected 

13 

Testimony 

of  Mr. 

Patrick  Hoeffel 

dated  10  June  2013, 

and  that  is 

14  Prosecution  Exhibit  116,  ma'am. 


15 

MJ: 

Okay. 

16 

ATC  [ 

CPT  von  ELTEN] : 

It  is  hereby  agreed  by  the  Accused, 

17  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Patrick  Hoeffel  were 

18  present  to  testify  during  the  merits  and  pre-sentencing  phases  of 

19  this  court-martial,  he  would  testify  substantially  as  follows. 

20  I  am  a  software  engineer  at  Intelligent  Software  Solutions, 

21  Inc.,  Colorado  Springs,  Colorado.  I  design  and  write  software 

22  systems,  such  as  the  Combined  Information  Database  --  the  Combined 

23  Information  Data  Network  Exchange  (CIDNE)  database,  and  manage  eight 
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1  other  individuals  who  also  write  code  --  write  software  code  for 

2  CIDNE.  In  1989,  I  earned  my  Bachelor  of  Science  degree  in  Computer 

3  Science  from  Catholic  University  in  Washington,  DC.  During  the  time 

4  I  was  attending  school,  I  worked  from  1987  to  1989  in  the  school 

5  computer  lab  as  student  help  desk  support.  Also,  in  1989,  I  worked 

6  for  a  rent  control  apartment  management  company  writing  software. 

7  From  1989  to  1997,  I  worked  in  Columbus,  Ohio,  as  a  software  engineer 

8  for  a  company  called  CompuServe,  which  was  bought  by  America  Online 

9  (AOL) .  From  1997  to  1998,  I  additionally  worked  as  a  consultant  for 

10  Compu  --  Compuware,  contracted  to  MCI,  which  is  now  Verizon. 

11  In  2000,  I  received  80  hours  of  course  instruction  on  the 

12  Design  and  Maintenance  of  Structured  Query  Language  (SQL)  Server 

13  Databases  and  Systems.  This  instruction  provided  foundational 

14  knowledge  for  my  work  as  a  software  and  database  engineer.  From  1998 

15  to  1999,  I  worked  at  software  startup  company  called  TribalVoice.  At 

16  TribalVoice,  I  was  a  software  engineer. 

17  From  1999  to  2006,  I  worked  at  a  software  startup  company 

18  called  Conf igureSoft ,  in  Colorado  Springs,  Colorado.  I  worked  at 

19  ConfigureSoft  as  a  software  engineer  with  an  emphasis  on  the  design 

20  of  database  systems.  I  also  designed  databases  and  software  systems 

21  to  be  used  by  systems  administrators.  As  a  database  and  software 

22  designer,  I  became  familiar  with  systems  administration. 
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1  I  have  worked  at  Intelligent  Software  Solutions,  Inc.  since 

2  September  2006.  During  my  time  at  Intelligent  Software  Solutions,  I 

3  have  spent  2  years  as  the  lead  CIDNE  engineer  in  theater  and  at 

4  corporate  headquarters.  I  have  been  responsible  for  the  management 

5  of  day-to-day  CIDNE  engineering  operations.  I  have  managed 

6  approximately  20  individuals  that  range  from  software  engineers,  to 

7  database  engineers,  testers,  and  system  administrators. 

8  I  have  no  military  experience,  but  I  have  deployed  as  a 

9  contractor  with  Intelligent  Software  Solutions,  Inc.  I  deployed  to 

10  Victory  Base  Complex  (VBC) ,  Iraq  from  September  2007  to  December  2007 

11  as  a  software  engineer  working  on  the  CIDNE  database.  I  deployed 

12  again  from  May  2009  to  September  2009  to  the  VBC,  Iraq,  working  as  a 

13  software  engineer  on  the  CIDNE  database.  From  May  2010  to  August 

14  2010,  I  deployed  to  Kabul,  Afghanistan  as  a  theater  technical  lead 

15  working  on  the  CIDNE  database.  I  last  deployed  from  May  2011  to 

16  September  2011  to  Kabul,  Afghanistan  as  a  theater  technical  lead 

17  working  on  the  CIDNE  database.  I  have  over  25  years  of  computer 

18  science  expertise  developed  through  courses  and  experience. 

19  I  am  familiar  with  the  CIDNE  software  and  the  database  in 

20  particular  because  I  developed  the  database.  CIDNE  is  a  centralized 

21  database  that  stores  information  about  events,  people,  organizations, 

22  and  facilities,  and  makes  that  information  available  to  users 

23  throughout  Iraq,  Afghanistan,  and  the  United  States.  There  are 
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1  different  CIDNE  databases  for  Iraq  and  Afghanistan.  The  Iraq  server 

2  at  United  States  Central  Command  (USCENTCOM)  Headquarters  (HQ)  is 

3  physically  distinct  from  the  Afghanistan  server.  The  two  do  not 

4  share  data  with  each  other.  The  Iraq  data  is  stored  in  a  series  of 

5  servers  that  are  positioned  at  various  locations  in  Iraq,  with  all 

6  data  being  constantly  copied  back  to  a  CIDNE-Iraq  server  at  USCENTCOM 

7  HQ  in  Tampa,  Florida,  for  use  by  interested  entities.  All  data  is 

8  the  same  across  all  Iraq  servers.  Afghanistan  data  is  stored  in  a 

9  series  of  servers  that  are  positioned  at  various  locations  in 

10  Afghanistan,  with  all  data  copied  back  to  a  CIDNE-Af ghanistan  server 

11  in  Tampa.  This  setup  was  created  to  make  data  available  as  broadly 

12  as  possible. 

13  CIDNE  can  be  accessed  through  one  of  the  seven  different 

14  classified  networks,  including  SIPRNET  and  JWICS.  CIDNE  is  only 

15  available  on  classified  networks.  CIDNE  data  is  accessed  using  a 

16  CIDNE  website.  To  see  Afghanistan  data,  one  must  open  a  CIDNE-A 

17  website  —  or  web  page  on  a  CIDNE-Af ghanistan  server.  Likewise,  Iraq 

18  data  must  be  accessed  via  a  CIDNE-I  server  through  a  CIDNE-I  website. 

19  During  the  2009-2010  timeframe  one  could  access  a  database  by  logging 

20  in  as  self-registered  or  as  a  guest  user  to  browse.  As  of  today, 

21  capabilities  were  developed  to  see  who  views  data  and  an  enhanced 

22  log-in  system  was  designed  for  access  to  the  CIDNE  database.  One  can 

23  no  longer  browse  the  database  without  logging  in  —  without  logging 
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1  in  as  a  self-registered  user.  Prior  to  the  recent  log-in 

2  requirements,  the  CIDNE  databases  did  not  track  individual  users' 

3  access  by  IP  address  or  otherwise. 

4  CIDNE  reports  are  individual  reports  of  specific  unit 

5  actions.  CIDNE  is  the  USCENTCOM  directed  reporting  tool  for  the 

6  majority  of  operational  reporting  in  Iraq  and  Afghanistan.  It  is  a 

7  structured  collection  of  data  with  over  100  different  types  of 

8  reports,  including  Significant  Activity  reports  (SIGACTs) .  SIGACTs 

9  are  only  one  report  type  in  CIDNE,  but  it  is  one  of  the  most 

10  frequently  used  type  of  report  along  with  HUMIT  —  Human  Intelligence 

11  (HUMINT)  and  Counter-IED  (C-IED)  reports.  SIGACTs  are  often  used 

12  because  of  their  content.  SIGACTs  are  summaries  of  actual  events 

13  created  at  the  time  of  those  events.  The  reports  state  the  who, 

14  what,  when,  and  where  of  events  encountered  by  the  unit. 

15  A  user  can  create  a  report  only  if  the  user's  unit 

16  administrator  grants  the  authority  to  populate  reports  on  the  system. 

17  Any  user  with  access  to  CIDNE  on  a  classified  network  could  browse 

18  the  information.  During  the  2009-2010  timeframe,  the  CIDNE  database 

19  did  not  record  who  looked  at  the  data.  Instead,  CIDNE  only  recorded 

20  who  was  creating  reports  and  what  types  of  reports  were  being 

21  created.  As  the  theater  technical  lead  in  Afghanistan,  I  frequently 

22  worked  with  users  who  created  reports  and  the  types  of  reports  the 

23  users  created.  CIDNE  requires  reports  have  certain  fields  completed. 
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1  The  database  will  not  accept  a  report  unless  the  required  fields  are 

2  completed.  Classification  is  a  mandatory  field  with  Unclassified, 

3  Confidential,  and  Secret  as  the  options.  Thus,  all  reports, 

4  including  all  SIGACTs,  are  marked  with  a  classification.  Once  a 

5  report  is  entered  into  CIDNE,  the  database  assigns  a  unique  value 

6  called  a  "report  key"  that  is  used  by  the  database  to  identify 

7  individual  reports  and  allows  the  user  to  quickly  query  the  database. 

8  10.  In  August  2010,  I  was  tasked  to  participate  in  the  Information 

9  Review  Task  Force  (IRTF)  at  the  Defense  Intelligence  Agency  (DIA) 

10  based  on  my  CIDNE  expertise.  My  original  task  was  to  verify  and 

11  confirm  that  the  compromised  data  came  from  the  CIDNE-A  database,  and 

12  later  I  also  was  tasked  to  review  the  CIDNE-I  database.  As  a  part  of 

13  the  IRTF,  I  identified  the  source  of  the  compromised  data,  the  time 

14  frame  in  which  the  data  was  taken  based  on  examination  of  the 

15  released  data,  and  data  in  the  source  database.  Using  computer 

16  software,  I  compared  the  compromised  CIDNE-A  report  keys  to  the 

17  report  keys  in  the  original  database.  Based  on  my  comparison,  I 

18  concluded  the  hundreds  of  thousands  of  compromised  report  keys  in  the 

19  original  report  keys  —  and  the  original  report  keys  on  the  CIDNE-A 

20  database  were  identical.  I  spent  about  2  weeks  on  the  IRTF 

21  initially.  I  returned  to  the  IRTF  in  November  2010  after  the  CIDNE-I 

22  database  was  released.  I  repeated  the  comparison  procedures  for 

23  CIDNE-I.  Using  computer  software,  I  compared  the  compromised  CIDNE-I 
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1  report  keys  to  the  original  report  keys  in  the  database.  Based  on  my 

2  comparison,  I  concluded  the  tens  of  thousands  of  compromised  report 

3  keys  and  the  original  report  keys  on  the  CIDNE-I  database  were 

4  identical. 

5  At  the  bottom  of  the  CIDNE  database  search  query  results 

6  screen,  CIDNE  allows  a  user  to  export  SIGACTS  into  a  " . csv"  format. 

7  CIDNE  only  exports  1  month  at  a  time.  This  export  function  is 

8  available  for  users  to  download  specific  information  in  order  to  use 

9  the  information  with  other  programs  or  systems.  During  my 

10  investigation,  I  determined  that  the  last  of  the  compromised  CIDNE-A 

11  data  was  pulled  from  the  CIDNE-A  System  in  the  57  seconds  between 

12  11:51:30Z  and  11:52:27Z  (Zulu  time).  Afghanistan  servers  are  all  set 

13  to  Zulu  time,  and  thus  the  reported  dates  are  all  in  Zulu  time.  The 

14  compromised  data  from  CIDNE-A  was  pulled  before  7  January  2010, 

15  11:52: 27Zulu  because  that  is  the  date  and  time  of  the  first  update 

16  made  to  a  report  where  the  update  did  not  appear  in  the  compromised 

17  data.  The  compromised  data  was  pulled  from  the  CIDNE-A  system  after 

18  7  January  2010,  ll:51:30Zulu  because  that  is  the  date  and  time  of  the 

19  last  update  made  to  a  report  where  the  update  appeared  in  the 

20  compromised  data.  Every  modification  prior  to  that  time  appears  in 

21  the  compromised  data. 

22  The  compromised  Iraq  data  was  pulled  from  the  CIDNE-I 

23  system  in  the  14  minutes  and  51  seconds  between  04:39:13C  and 
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1  04:54:04C  (Iraq  time).  Iraq  servers  are  set  to  local  time  and  record 

2  their  dates  in  local  time,  which  is  Zulu+3  on  3  January  2010.  The 

3  compromised  data  from  CIDNE-I  was  pulled  before  3  January  2010, 

4  04:54:04C.  The  first  data  modification  that  does  not  appear  in  the 

5  compromised  data  occurred  at  3  January  2010,  04:54:04C.  Every 

6  modification  prior  to  that  time  appears  in  the  compromised  data, 

7  while  all  modifications  at  this  point  and  following  do  not  appear  in 

8  the  compromised  data.  The  compromised  data  from  CIDNE-I  had  to  have 

9  been  pulled  after  3  January  2010,  04:39:13C.  The  last  modification 

10  to  appear  in  the  compromised  data  occurred  at  3  January  2010, 

11  04:39:13C.  Every  modification  including  and  prior  to  that  time 

12  appears  in  the  compromised  data. 

13  At  no  time  was  the  SIGACT  information  charged  in  this  case 

14  unavailable  for  access  on  the  CIDNE  database.  Those  that  accessed 

15  the  SIGACT  database  before  May  of  2010,  did  so  in  the  same  manner 

16  after  May  of  2010.  We  continue  to  use  the  SIGACTs  charged  in  this 

17  case  in  the  CIDNE  database.  To  the  best  of  my  knowledge,  the  United 

18  States  Government  has  never  made  these  databases  publicly  available 

19  TC [MAJ  FEIN]:  I  have  two  more  stipulations  of  expected 

20  testimony,  PE  113  and  PE  78.  113  and  78. 

21  MJ:  Thank  you. 

22  TC [MAJ  FEIN]:  Ma'am,  first  Stipulation  of  Expected  Testimony, 

23  Ms.  Debra  Van  Alstyne,  10  June  2013.  It  is  hereby  agreed  by  the 
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1  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Ms.  Debra  Van 

2  Alstyne  were  present  to  testify  during  the  merits  phase  of  this 

3  court-martial,  she  would  testify  substantially  as  follows: 

4  I  am  the  Aunt  of  PFC  Bradley  E.  Manning.  Brad  came  to  live 

5  with  my  family  in  the  summer  of  2006.  Brad  uses  my  home  as  his  home 

6  of  record  and  spends  his  leave  and  holidays  with  us.  When  Brad  came 

7  back  from  Iraq  for  his  mid-tour  leave  in  January  of  2010,  he  stayed 

8  with  us  at  my  house.  Brad  came  home  on  Sunday,  the  24th  of  January. 

9  On  the  night  of  the  25th  of  January  he  went  to  Boston  to  visit  his 

10  friends.  Brad  returned  from  Boston  on  Monday,  the  1st  of  February 

11  and  came  back  to  stay  with  us  for  the  remainder  of  his  time.  When 

12  Brad  returned,  we  got  hit  with  a  big  snow  storm  on  Friday  night,  the 

13  5th  of  February,  so  we  ended  up  not  doing  very  much  other  than 

14  playing  board  games.  After  the  snow  storm,  we  were  without  power 

15  until  Sunday,  the  7th  of  February.  I  recall  Brad  leaving  during  this 

16  time  by  walking  out  to  the  main  road  and  telling  me  that  a  friend  was 

17  going  to  pick  him  up.  I  do  not  know  where  he  went,  as  it  was  not  my 

18  usual  practice  to  ask  him  where  he  was  going.  Brad  left  for  Iraq  on 

19  the  morning  of  the  9th  of  February. 

20  On  November  2nd,  2010,  Special  Agent  (SA)  Mark  Mander 

21  searched  my  house  in  connection  with  this  case.  I  willingly 

22  consented  to  this  search.  Prior  to  the  search,  I  identified  items 

23  belonging  to  Brad  and  allowed  SA  Mander  to  search  Brad's  room  in  the 
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1  basement.  I  also  identified  Brad's  possessions  and  several  boxes 

2  that  contained  Brad's  possessions.  These  boxes  and  the  surrounding 

3  area  only  contained  Brad's  possessions.  One  of  the  boxes  was  a  box 

4  that  Brad  had  sent  to  me  in  April  of  2010  from  Iraq.  The  box 

5  contained  two  soft  cover  books,  two  Maryland  T-shirts  and  one  FOB 

6  Hammer  Iraq  T-shirt.  After  SA  Mander  finished  his  search,  he  set 

7  aside  a  number  of  items  on  Brad's  bed  and  asked  me  whether  any  of  the 

8  items  belonged  to  me  or  anyone  else,  and  not  Brad.  I  identified  all 

9  the  items  as  belonging  to  Brad.  I  am  familiar  with  the  items  that 

10  were  collected  by  SA  Mander.  He  collected  several  of  Brad's  personal 

11  items  like  books,  packages,  and  digital  media. 

12  Special  Agent  Mander,  Special  Agent  John  Wilbur,  Special 

13  Agent  Ronald  Rock,  and  Special  Agent  Ezio  Veloso  came  to  interview  me 

14  on  June  18th,  2010.  The  agents  asked  me  several  questions.  One  of 

15  the  agents  asked  me  about  how  Brad  felt  about  the  Army.  Based  upon 

16  our  discussions,  I  knew  that  Brad  was  proud  of  his  job  and  of  being 

17  in  the  Army.  However,  Brad  seemed  to  be  very  quiet  when  he  returned 

18  from  Iraq  for  his  mid-tour  leave.  He  also  seemed  depressed  to  me. 

19  The  agents  also  asked  me  about  the  various  email  accounts  that  I  had 

20  used  over  the  years  and  that  Brad  had  used  over  the  years  and  his 

21  Facebook  account.  I  am  familiar  with  Brad's  email  accounts.  The 

22  account  names  that  Brad  used  in  connections  —  in  communications  with 

23  me  are  "bradley.e.manning@gmail.com"  and  "brad405@earthlink.net".  I 
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1  also  told  the  agents  that,  excuse  me,  Your  Honor,  I  also  told  the 

2  agents  the  five  different  email  addresses  that  I  had  used  with  Brad 

3  over  the  years.  Most  of  those  email  addresses  were  either  Gmail  or 

4  Earth  Link  addresses.  I  am  also  familiar  with  Brad's  Facebook 

5  account,  as  I  followed  Brad  on  Facebook  and  also  posted  a  message  to 

6  his  Facebook  page  on  his  request  after  his  arrest.  Brad  called  me 

7  from  Kuwait  after  his  arrest.  During  our  conversation,  he  asked  me 

8  if  I  had  seen  the  apache  helicopter  video.  When  I  said  that  I  had 

9  not.  Brad  asked  me  to  do  a  search  for  "Collateral  Murder."  Brad 

10  believed  the  video  was  going  to  be  "big  news"  and  that  it  would  make 

11  a  "big  splash"  in  America.  As  part  of  this  conversation.  Brad  asked 

12  me  to  post  a  message  to  his  Facebook  account  to  let  others  know  that 

13  he  was  alive  and  why  he  was  arrested.  I  posted  the  following  message 

14  for  Brad:  "Some  of  you  may  have  heard  that  I  have  been  arrested  for 

15  disclosure  of  classified  information  to  unauthorized  persons  See 

16  http: //collateralmurder . com/" . 

17  I  recognize  the  picture  marked  as  Prosecution  Exhibit  (PE) 

18  40  for  Identification.  PE  40  for  ID  is  a  picture  of  Brad  in  his  room 

19  taken  while  he  was  on  his  mid-tour  leave.  I  know  this  because  the 

20  picture  captures  how  Brad  and  his  room  looked  around  that  time 

21  period. 
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Ma'am,  the  United  States  moves  to  admit  what  has  been 
marked  as  Prosecution  Exhibit  40  for  Identification  as  Prosecution 
Exhibit  40. 

ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  All  right.  Prosecution  Exhibit  40  for  Identification  is 

admitted. 

TC [MAJ  FEIN]:  Ma'am  Prosecution  Exhibit  78.  Stipulation  of 
Expected  Testimony  Special  Agent  Mark  Mander  9  June  2013. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  SA  Mark  Mander  were  present  to  testify  during 
the  merits  and  pre-sentencing  phases  of  this  court -mmlial,  he  would 
testify  substantially  as  follows: 

On  2  November  2010,  Special  Agent  John  Wilbur  and  I  visited 
Ms.  Debra  Van  Alstyne  at  Ms.  Van  Alstyne's  residence  in  Potomac, 
Matyland.  We  were  searching  for  a  box  that  had  been  sent  to  Ms.  Van 
Alstyne's  residence  from  the  confinement  facility  in  Kuwait  where  PFC 
Manning  had  been  held.  As  procedure,  the  confinement  facility 
collects  personal  items,  like  your  wallet  or  clothing,  and  places 
them  in  a  container.  I  thought  those  items  may  have  some  evidentiary 
value,  but  we  were  unable  to  obtain  an  authorization  to  search  the 
container  prior  to  PFC  Manning's  depat lure  from  Kuwait.  Once  PFC 
Manning  left  the  confinement  facility,  the  standard  procedure  is  for 
the  facility  to  ship  the  personal  items  to  the  confinee's  home  of 
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1  record.  I  was  able  to  determine  that  the  box  had  been  signed  for  by 

2  PFC  Manning's  father  at  Ms.  Van  Alstyne's  residence,  so  we  contacted 

3  Ms.  Van  Alstyne  to  see  if  she  had  received  the  box  as  well  as  to 

4  inguire  into  any  other  items  of  evidentiary  value  in  the  basement 

5  room  where  PFC  Manning  had  stayed. 

6  When  we  arrived  on  2  November  2010,  I  noticed  that  many  of 

7  PFC  Manning's  personal  items  that  had  been  strewn  about  in  June  2010 

8  I,  when  last  visited  Ms.  Van  Alstyne,  were  now  organized  into  plastic 

9  containers.  During  the  process  of  looking  through  the  containers,  we 

10  identified  several  items  of  digital  media,  including  digital  memory 

11  cards.  With  Ms.  Van  Alstyne's  consent,  we  collected  these  items  of 

12  digital  media.  One  of  the  items  we  collected  was  an  SD  memory  card, 

13  bearing  the  serial  number  BE0915514353G.  Ms.  Van  Alstyne  identified 

14  this  SD  memory  card  as  the  propelly  of  PFC  Manning. 

15  Using  standard  evidence  collecting  procedures,  I  collected 

16  this  SD  memory  card  by  marking  it  with  "2123,  2  November  2010,  MAM" 

17  for  identification.  I  then  recorded  it  as  Item  2  on  a  DA  Form  4137 

18  marked  as  document  number  DN  162-10.  Using  the  DA  Form  4137,  I 

19  properly  released  this  piece  of  evidence  to  the  CCIU  evidence 

20  custodian,  Ms.  Tamara  Mairena  on  3  November  2010.  While  in 

21  possession  of  this  item,  I  maintained  control  over  it,  stored  it 

22  properly,  and  allowed  no  one  else  access  to  the  SD  card.  I  did  not 
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1  alter  the  evidence  in  any  way.  I  have  no  reason  to  believe  this 

2  evidence  was  damaged  or  contaminated  in  any  way. 

3  Prosecution  Exhibit  92,  for  Identification  is  the  SD  card 

4  Item  2  of  DN  162-10. 

5  Your  Honor,  United  States  moves  to  admit  as  evidence 

6  Prosecution  Exhibit  92  for  Identification  as  Prosecution  Exhibit  92. 

7  ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

8  MJ:  May  I  see  it,  please. 

9  TC [MAJ  FEIN]:  Your  Honor,  may  I  have  a  moment?  Your  Honor,  may 

10  we  actually  mark  this  during  the  next  recess? 

11  MJ:  Yes.  Prosecution  Exhibit  92? 

12  TC [MAJ  FEIN]:  Yes,  ma'am,  it  is.  We're  ready  to  call  the  next 

13  witness. 

14  MJ:  Looking  at  the  time,  do  you  want  to  take  a  brief  recess 

15  right  now? 

16  CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

17  TC [MAJ  FEIN]:  Well,  ma'am,  we  can  but  we're  going  to  ask  for 

18  another  recess  after  this  next  recess  to  reset  the  evidence,  but  we 

19  could  do  two  recesses. 

20  MJ:  Is  this  witness  anticipated  to  be  very  long. 

21  ATC [CPT  MORROW]:  No,  this  is  the  examination  of  the  SD  card. 
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1  TC[MAJ  FEIN]:  And  then  Special  Agent  Shaver  is  being  called  and 

2  then  he  is  going  to  stay  on  the  stand  for  the  next  portion  but  we 

3  need  a  recess  between  those  two  portions. 

4  MJ:  And  you  would  like  a  recess  now  anyway? 

5  CDC [MR.  COOMBS]:  Well,  actually,  if  it's  just  for  the  SD 

6  card,  once  they  put  the  witness  on  the  stand,  we  would  stipulate  to 

7  the  SD  card  and  its  contents.  So  if  that  would  speed  up  the 

8  government's  direct,  it  might  be  one  question. 

9  ATC [CPT  MORROW]:  The  contents  are  important.  Your  Honor,  so 

10  are  the  dates  of  the  creation  of  the  files. 

11  MJ:  Go  ahead  and  call  your  witness. 

12  ATC [CPT  MORROW]:  United  States  recalls  Special  Agent  David 

13  Shaver. 

14  MJ:  Mr.  Coombs,  tell  me  one  more  time  what  the  defense  is  going 

15  to  stipulate  to? 

16  CDC [MR.  COOMBS]:  We  would  stipulate  to  the  contents  of  the  SD 

17  card.  So  if  Agent  Shaver  is  being  called  to  say  what  was  on  the  SD 

18  card,  we  would  stipulate  that  that's  accurate. 

19  MJ:  Go  ahead  and  call  the  witness. 

20  [END  OF  PAGE] 

21 


8330 


o 


o 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


SPECIAL  AGENT  DAVID  SHAVER,  was  recalled  as  a  witness  for  the 
prosecution,  was  reminded  he  was  still  under  oath,  and  testified  as 
follows : 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

Q.  Agent  Shaver,  do  you  recall  examining  a  SD  card  found  in 
PFC  Manning's  aunt's  house? 

A.  Yes. 

Q.  And  who  requested  that  you  examine  this  digital  media? 

A.  One  of  the  CCIU  agents  did. 

Q.  Did  you  examine  the  actual  SD  card  itself  or  an  image  of 
the  SD  card? 

A.  Sir,  I  checked  out  the  evidence  from  the  evidence  room, 
created  a  forensic  image,  verified  the  forensic  image  and  checked  the 
evidence  back  in.  I  worked  off  the  image  file. 

Q.  Agent  Shaver,  what  did  you  find  in  the  unallocated  space  on 
the  SD  card? 

A.  I  found  several  pictures,  partial  movies  and  some  text 
files . 

Q  What  were  the  text  files? 

A.  They  were  pertaining  to  the  CIDNE  documents  and  the 
SIGACTs. 

Q.  And  what  was  found  in  the  allocated  space  on  the  card? 
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A.  Sir,  there  was  one  file,  yada. tar .bz2 .NC. 

Q.  Where  was  this  found  on  the  SD  card? 

A.  There  was  a  folder  called  DCIM. 

Q.  What  is  a  DCIM? 

A.  Sir,  that's  a  standard  folder  that's  created  by  digital 


cameras . 

Q.  What  is  it  used  for? 

A.  It  is  for  organization  of  photos. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  105  for  Identification  from  the  court  reporter. 
I'm  handing  the  witness  what's  been  marked  as  Prosecution  Exhibit  105 
for  Identification. 

Q.  Agent  Shaver,  do  you  recognize  that  image? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  Sir,  it's  a  screenshot  I  created  of  the  file 
yada. tar. bz2.NC  and  the  creation  date. 

Q.  How  do  you  create  a  screenshot  like  that? 

A.  Sir,  this  is  actually  a  screenshot  of  EnCase  forensic 


program. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor? 

MJ:  Go  ahead. 
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[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  for  the  witness  and  the  Court.] 

MJ:  What  is  that  noise? 

TC [MAJ  FEIN]:  Ma'am,  it's  the  projector  turning  on  and  off. 

MJ:  Okay. 

Q.  Agent  Shaver,  can  you  identify  on  the  screenshot  the  file 
you're  referring  to? 

A.  Yes,  sir,  it's  the  file  in  the  middle. 

Q.  And  just  let's  go  through  the  file  itself.  What  is  the  NC 

10  on  the  end  of  that  file  mean? 

11  A.  Sir,  that's,  it's  a  default  standard  file  naming  for  a  file 

12  which  has  been  encrypted  using  the  M  crypt  software. 

13  Q.  What  is  M  crypt? 

14  A.  That's  an  open  source  utility  to  encrypt  files. 

15  Q.  And  when  you  say  encrypted,  how  would  you  open  this  file? 

16  A.  You  needed  a  password. 

17  Q.  And  were  you  able  to  open  this  file? 

A.  Yes,  sir;  I  was. 

Q.  What  password  did  you  use? 

A.  Sir,  I  used  a  password  provided  —  PFC  Manning  provided  to 

21  Mr.  Lamo  in  the  chats. 

22  Q.  And  what  date  was  this  file  created? 

23  A.  January  30th,  2010. 
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Q.  And  how  do  you  know  that? 

A.  Because  that's  what  the  date  is  shown  here,  sir. 

Q.  What  date  are  you  referring  to? 

A.  The  file  created  date,  sir. 

Q.  And  when  you  opened  this  file,  what  was  contained  within? 

A.  Sir,  there  were  four  files  contained  therein. 

ATC [CPT  MORROW]:  I'm  handing  Prosecution  Exhibit  105  for 

Identification  back  to  the  court  reporter,  and  retrieving  Prosecution 
Exhibit  50  for  Identification.  I'm  handing  the  witness  what's  been 
marked  as  Prosecution  Exhibit  50  for  Identification. 

Q.  Do  you  recognize  that.  Agent  Shaver? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  It's  a  screenshot  I've  created  of  the  contents  of  the  file. 
It  shows  the  file,  the  four  files  contained  therein  and  the  last 
written  date. 

Q.  And  how  is  that  created? 

A.  Sir,  it's  a  screenshot  of  the  EnCase  forensic  software. 

ATC [CPT  MORROW]:  Permission  to  publish  to  the  courtroom? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  witness  and  the  Court.] 
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1  Q.  We  don't  need  to  necessarily  go  through,  well,  actually 

2  let's  briefly  go  through  the  top  file.  AFG_Events . CSV  what  was 

3  contained  in  that? 

4  A.  Sir,  that  was  approximately  91,0000  complete  SIGACTs 

5  pertaining  to  the  Afghan  theater. 

6  Q.  And  what  date  was  that  file  created? 

7  A.  Sir,  that  was,  I  could  say,  the  file  —  because  the  file 

8  was  encrypted  and  the  files  were  zipped  up,  the  actual  creation  date 

9  was  lost,  but  the  last  written  date  remains. 

10  Q.  What  does  the  last  written  date  tell  you? 

11  A.  That's  the  last  time  the  file  was  written  to  or  updated. 

12  That  date  would  be  January  8th,  2010. 

13  Q.  And  again  let's  go  down  to  the  next  file.  IRQ_events . CSV. 

14  What  was  in  that  file? 

15  A.  Sir,  approximately  390,000  complete  SIGACTs  pertaining  to, 

16  from  CIDNE  database  pertaining  to  the  Iraq  theater. 

17  Q.  What  date  was  that  last  —  that  file  last  written? 

18  A.  It  was  January  5th,  2010. 

19  Q.  And  finally,  the  file  README . txt ,  what  was  contained  in 

20  that  file? 

21  A.  Sir,  that  was  kind  of,  it  was  just  a  text  file  contained 

22  some  information  about  the  two  CSV  files. 

23  Q.  What  about  that  last  file? 
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1  A.  Sir,  that's  a  temporary  file.  It  was  written  by,  created 

2  by  the  Macintosh  operating  system.  There's  no  real  pertenant 

3  information  in  there  except  it  shows  that  a  Macintosh  was  used  to 

4  create  it. 

5  Q.  When  was  the  README . txt  created  —  or  the  README . TXT  file 

6  last  written? 

7  A.  Last  written,  sir,  January  9th,  2010. 

8  ATC [CPT  MORROW]:  I'm  handing  Prosecution  Exhibit  50  for 

9  Identification  to  the  court  reporter. 

10  MJ:  Before  you  do  that,  I  didn't  catch  the  number  for  the  first 

11  file.  How  many  —  What  was  in  it? 

12  WIT:  Afghan? 

13  MJ:  Whatever  the  first  file  was. 

14  WIT:  Approximately  91,0000. 

15  MJ:  Thank  you. 

16  ATC [CPT  MORROW]:  I'm  retrieving  Prosecution  Exhibit  42  for 

17  Identification.  I'm  handing  the  witness  what's  been  marked  as 

18  Prosecution  Exhibit  42  for  Identification. 


19 

Questions 

continued  by  the  assistant  trial  counsel  [CPT  MORROW] 

20 

Q. 

Agent  Shaver,  do  you  recognize  that  document? 

21 

A. 

Yes,  sir,  I  do. 

22 

Q. 

And  what  is  that? 
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1  A.  Sir,  that  is  the  README . txt  file  contained  within  the 

2  yada.tar.bz2  of  that  NC  file. 

3  Q.  Generally,  what  does  the  text  file  describe? 

4  A.  It  describes  the  files,  the  CIDNE  documents.  The  Iraq  and 

5  Afghanistan  significant  activities,  SIGACTs. 

6  ATC [CPT  MORROW]:  Permission  to  publish  to  the  Court,  Your 

7  Honor? 

8  MJ:  Go  ahead. 

9  [There  was  a  brief  pause  while  the  assistant  trial  counsel  published 

10  the  exhibit  to  the  witness  and  the  Court.] 

11  Q.  Is  that  an  accurate  representation  of  the  file  you  just 

12  looked  at.  Agent  Shaver? 

13  A.  Yes,  sir. 

14  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

15  Prosecution  Exhibit  42  for  Identification  into  evidence  as 

16  Prosecution  Exhibit  42. 

17  ADC [CPT  TOOMAN] :  No  objection.  Your  Honor. 

18  MJ:  Prosecution  Exhibit  42  is  admitted. 

19  ATC [CPT  MORROW]:  Thank  you.  Agent  Shaver. 

20  MJ:  Cross-examination? 

21  [END  OF  PAGE] 

22 
23 
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1  CROSS-EXAMINATION 

2  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

3  Q.  Good  afternoon.  Agent  Shaver? 

4  A.  Good  afternoon,  sir. 

5  Q.  Agent  Shaver,  I  want  to  talk  first  about  you  talked  about 

6  the  contents  of  the  SD  card  and  you  were  talking  about  the  file 

7  written  or  the  file  created  date? 

8  A.  Correct. 

9  Q.  And  I  believe  you  said  the  Afghan  war  diary,  that  was 

10  written  on  8  January? 

11  A.  I  would  have  to  see  that  document  again  to  be  sure,  but. 

12  Q.  Okay. 

13  ADC [CPT  TOOMAN]:  Can  I  retrieve  Prosecution  Exhibit  50? 

14  MJ:  That's  still  50  for  Identification. 

15  ADC [CPT  TOOMAN]:  For  Identification.  Thank  you,  ma'am. 

16  Permission  to  publish  this.  Your  Honor. 

17  MJ:  Yes. 

18  {There  was  a  brief  pause  while  the  assistant  defense  counsel 

19  published  the  exhibit  to  the  witness  and  the  Court.] 

20  Q.  Agent  Shaver,  we  have  got  the  Afghanevents . CSV  file  and 

21  last  date  written  8  January? 

22  A.  Correct. 
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Q.  Would  you  agree  with  me  that  date  could  be  associated  with 
when  that  file  was  placed  on  the  SD  card? 

A.  No.  Maybe.  I'm  sorry,  sir,  I  don't  —  I  don't  have  a 
definitive  answer.  It  was  contained  within  a  zip  file. 

Q.  Okay.  Is  it  possible  that  that,  that  the  last  written  date 
changed  when  the  file  was  put  on  the  zip  --  on  the  SD  card? 

A.  Could,  yes,  sir. 

Q.  So  it  doesn't  necessarily  mean  that  that's  the  last  time 
the  file  was  added  to  or  changed  the  substance  of  that  document? 

A.  It's  possible;  yes,  sir. 

Q.  And  the  same  would  of  course  then  be  true  for  - 

A.  The  others. 

Q.  The  others? 

ADC [CPT  TOOMAN] :  Returning  Prosecution  Exhibit  50  for 

Identification. 

Q.  Now,  those  files  were  in  a  zip  file,  correct? 

A.  Yes,  sir. 

Q  And  that  was,  that  had  a  password? 

A.  Yes,  sir. 

Q.  And  it  was  encrypted.  And  you  testified  that  you  received 
the  password  or  you  got  access  to  the  password  through  the  chats? 

A.  Correct. 

Q.  Between  PFC  Manning  and  Mr.  Lamo;  is  that  correct? 
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A.  Uh,  huh.  Yes,  sir. 

Q.  Now,  the  password  that  was  discussed  in  those  chats  was 
actually  for  PFC  Manning's  AKO  account,  wasn't  it? 

A.  I  believe  so,  yes,  sir. 

Q.  So  it  was  just  kind  of  luck  that  that  password  also  opened 
this  file? 

A.  It  is  what  it  is,  sir.  It's  the  same  password. 

Q.  Okay.  Fair  enough.  It  wasn't  —  In  the  chat,  it  wasn't 
identified  as,  hey,  here's  the  password  for  this  encrypted  file? 

A.  Yes,  sir;  you're  correct. 

Q.  It  was  identified  as  here's  the  password  for  my  AKO 
account? 

A.  Correct. 

Q.  Okay.  Now,  once  you,  you  use  that  password  to  get  into  the 
encrypted  file  and  you  got  those  CSV  files,  what  did  you  do  with 
those? 

A.  I  extracted  them  and  I  provided  them  to  the  case  agent. 

Q.  When  you  extracted  them,  what  did  you  put  them  in?  What 
program  did  you  use? 

A.  I  extracted  them  and  gave  them  as  is,  I  didn't,  you  can 
open  with  Excel. 

Q.  Okay.  So  you  can  open  those  with  an  Excel  document  and  you 
gave  those  to  the  case  agent. 
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ADC [CPT  TOOMAN] :  I'd  like  to  retrieve  what's  been  marked  as 

Defense  Exhibit  Echo  for  Identification.  And  Agent  Shaver,  I'll  ask 
you  to  move  over  here  to  the  panel  box.  I'm  handing  Defense  Exhibit 
Echo  for  Identification  to  the  witness. 

Q.  Agent  Shaver,  please  look  at  that  document.  What  is  that? 

A.  Sir,  this  is  a  SIGACT. 

Q.  How  do  you  know  that? 

A.  Sir,  I  created  this.  I  extracted  the  SIGACT  from  the 
CIDNE,  one  of  these  files,  I'm  sorry,  I  forget  the  file  name. 

Q.  Was  it  from  the  Iraq  events? 

A.  Yes,  sir. 

Q.  How  did  you  go  about  creating  that  file? 

A.  Sir,  I  copied  each  line  of  the  CSV  is  a  complete  SIGACT.  I 
highlighted  a  specific  line,  copied  it.  I  put  it  into  notepad  which 
I  removed  all  formatting.  I  then  recopied  it  from  notepad  into 
Microsoft  Word.  Printed  it  and  initialed  this. 

ADC [CPT  TOOMAN]:  Can  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  defense  counsel 
consulted  with  co-counsel . ] 

Q.  Agent  Shaver,  what's  the  date  on  that  SIGACT? 

A.  30  December  2009.  Am  I  reading  the  right  place? 

ADC [CPT  TOOMAN]:  Permission  to  approach? 
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MJ:  Yes. 

Q.  Agent  Shaver,  what's  the  date  on  that? 

A.  Sorry,  December  24,  2009. 

Q.  Okay.  And  without  answering  in  a  classified  manner,  what's 
the  general,  what  sort  of  incident  does  that  report? 

A.  Appears  IEDs  explosion. 

ADC [CPT  TOOMAN] :  I'm  going  to  retrieve  Defense  Exhibit  Echo 

for  Identification  and  offer  it  as  Defense  Exhibit  Echo. 

MJ:  All  right.  Yes? 

ATC [CPT  MORROW]:  No  objection.  Your  Honor. 

MJ:  Okay.  Getting  late  in  the  day.  Did  I  actually  initial  it? 

ADC [CPT  TOOMAN]:  I'm  sorry.  Your  Honor. 

MJ:  I  think  I  will  need  that  recess.  Defense  Exhibit  Echo  for 

Identification  is  admitted. 

ADC [CPT  TOOMAN]:  Agent  Shaver,  thank  you.  That's  all  the 

questions  I  have. 

MJ:  Redirect? 

ATC [CPT  MORROW]:  Yes,  Your  Honor. 

[END  OF  PAGE] 
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1  REDIRECT  EXAMINATION 

2  Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

3  Q.  Agent  Shaver,  I'm  going  to  ask  you,  without  pulling  out 

4  Defense  Exhibit  Echo  again  —  if  you  would  move  back  to  the  witness 

5  stand,  please  —  when  you  read  that  SIGACT,  was  any  information 

6  redacted? 

7  A.  No. 
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Q.  So  the  units  were  identified? 

A.  Yes. 

ADC [CPT  TOOMAN] :  Objection.  Leading. 

MJ:  Overruled. 

Q.  Was  any  information  redacted? 

A.  No,  sir. 

Q.  Was  any  information  replaced  by  markers? 

A.  I  did  not  see  any. 

ATC [CPT  MORROW]:  No  further  questions. 

ADC [CPT  TOOMAN]:  Nothing,  ma'am. 

MJ:  All  right.  Temporary  excusal? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

[The  witness  was  temporarily  excused,  reminded  of  his  previous 
warning,  and  withdrew  from  the  courtroom.] 

TC [MAJ  FEIN]:  The  United  States  asks  for  a  20-minute  recess. 
MJ:  The  Court  is  in  recess  until  15:35,  or  3:35. 
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[The  court-martial  recessed  at  1520,  11  June  2013.] 

[The  court-martial  was  called  to  order  at  1542,  11  June  2013.] 

MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

the  parties? 

TC [MAJ  FEIN]:  All  parties  when  the  Court  last  recessed  are 
again  present  with  the  exception  of  Captain  von  Elten. 

MJ:  Is  the  government  ready  to  proceed? 

ATC [CPT  MORROW]:  Yes,  Your  Honor,  the  government  recalls 

Special  Agent  David  Shaver. 

SPECIAL  AGENT  DAVID  SHAVER,  was  recalled  as  a  witness  for  the 
prosecution,  was  reminded  he  was  still  under  oath,  and  testified  as 
follows : 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

Q.  Agent  Shaver,  I'd  like  to  discuss  your  examination  of  a 
couple  of  SIPRNET  computers.  But  first,  what  were  the  IP  addresses 
of  the  SIPRNET  computers  you  examined  in  this  case? 

A.  I  examined  several  but  primarily  two,  were  .22  and  .40. 

Q.  And  when  you  say  .22  what  are  you  referring  to? 

A.  I'm  referring  to  the  IP  address,  the  internet  protocol 

address . 


Q.  What  was  your  process  for  examining  this  computer? 
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1  A.  The  process  was  to  verify  the  hash  values  and  make  sure  it 

2  was  an  accurate  image.  And  then  start  conducting  examination  to  see 

3  what's  there.  Search  both  the  allocated  and  unallocated  spaces. 

4  Q.  And  when  you  said  —  Did  you  verify  the  hash  values? 

5  A.  Yes,  sir,  I  did. 

6  Q.  Now,  with  respect  to  the  .22  computer,  what  did  you  look 

7  for  first,  or  what  were  you  looking  for  first? 

8  A.  I  was  looking  to  see  what  files  were  present.  First  off, 

9  was  there  a  Bradley .Manning  user  profile. 

10  Q.  Did  you  find  one? 

11  A.  Yes,  sir,  I  did. 

12  Q.  What  do  you  mean  by  what  files  were  present? 

13  A.  I  wanted  to  see  what  files  were  present  within  the  user 

14  profile.  Again  at  this  time  I  hadn't  been  given  the  chat  log  so  I 

15  was  looking  at  things  concerning  the  Department  of  State  and  things 

16  like  that. 

17  Q.  And  when  you  say  present,  are  you  referring  to  allocated 

18  files? 

19  A.  Yes,  sir;  I  am. 

20  Q.  Now,  what  kind  of  web  browser  was  under  PFC  Manning's 

21  profile? 

22  A.  There  were  two. 

23  Q.  What  were  the  two? 
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A.  Internet  Explorer  and  Firefox. 

Q.  What  was  the  configuration  of  the  Internet  Explorer  web 
browser? 

A.  That  was  a  standard  Army  build  where  the  user  can  surf  the 
web  but  could  not  clear  the  internet  history. 

Q.  And  where  does  a  computer  keep  Internet  history? 

A.  For  Internet  Explorer  it  keeps  it  in  a  user  file  called 

index.dat  file. 

Q.  What  does  the  index.dat  file  contain? 

A.  It  contains  things  like  times  and  dates,  files  accessed 
either  locally  or  remotely  and  IPs  address. 

Q.  You  said  files  accessed.  What  do  you  mean  by  that? 
Describe  how  the  computer  would  log  some  action  on  the  computer  in 
the  —  or  action  by  the  user  in  the  index.dat  file? 

A.  If  you  went  to  a  web  page,  it  would  log  it  as  a  web  page. 
If  he  went  to  CNN.com,  it  would  be  there.  It  would  also  —  If  he 
accessed  a  file  on  his  desktop,  like  if  you  double  clicked  on  a  Word 
document  that  would  be  there  as  well. 

Q.  You  said  this  computer  had  a  Firefox  web  browser  as  well. 
Is  that  correct? 

A.  Yes,  sir. 

Q.  And  what  was  —  How  was  that  web  browser  configured? 
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1  A.  That  was  configured  to  run  in  privacy  —  private  mode  — 

2  private  browsing  mode  wherein  no  user  history  would  be  maintained. 

3  Q.  And  what  was  the  home  page  of  the  Firefox  web  browser? 

4  A.  Intelink. 

5  Q.  Now,  you  were  looking  for  the  files  that  were  present  on 

6  the  computer.  Did  you  find  any  files  that  seemed  to  be  odd  or  at 

7  least  were  pertinent  to  the  investigation  as  you  knew  it  at  that 

8  point? 


9  A.  Yes,  sir. 

10  Q.  What  did  you  find? 

11  A.  Within  the  user  profile  Bradley .Manning  there  was  a  folder 

12  called  bloop  and  within  there,  there  was  files.zip.  The  files.zip 

13  contained  over  10,000  complete  Department  of  State  cables. 

14  Q.  So  let's,  we'll  take  each  of  those  in  turn. 

15  ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

16  Prosecution  Exhibit  104  for  Identification.  I'm  handing  the  witness 

17  what's  been  marked  as  Prosecution  Exhibit  104  for  Identification. 


18 

A. 

Yes, 

sir. 

19 

Q. 

Agent 

Shaver,  do  you  recognize  that  information? 

20 

A. 

Yes, 

sir,  I  do. 

21 

Q. 

What 

is  it? 

22 

A. 

Sir, 

this  is  a  screen  shot  I  created  of  the  folde: 

23  It  contains  deleted  files  and  file  creation  dates. 


8347 


o 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  And  is  the  folder  bloop? 

A.  Yes. 

Q.  How  would  you  create  a  screen  shot  like  this? 

A.  Sir,  this  is  a  screen  shot  of  the  Encase  program  which 

allows  you  to  see  the  allocated  and  unallocated  deleted  files. 

ATC [CPT  MORROW]:  Your  Honor,  permission  to  publish  to  the 

Court? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court.] 

Q.  Agent  Shaver,  can  you  point  out  the  files,  essentially  the 
files  that  you  just  talked  about  earlier?  Let's  start  with  backup 
. XLSX . 

A.  Yes,  sir. 

Q.  Generally,  what  was  in  that  file? 

A.  Sir,  that  was  a  Excel  spreadsheet  with  three  tabs.  The  tabs 
were  0310-0410,  the  next  tab  was  0510  and  the  last  one  was  Wget. 

Q.  And  you  also  mentioned  files.zip? 

A.  Correct. 

Q.  What  was  in  files.zip? 

A.  Files.zip  contained,  actually  it  was  a  partially  corrupted 
zip  file  that  contained  over  10,000  complete  Department  of  State 
cables . 


8348 


o 


J 


1  Q.  And  when  you  say  partially  corrupted,  what  do  you  mean  by 

2  that? 

3  A.  Something  went  wrong  when  this  file  —  when  the  zip  file 

4  was  created.  I  don't  know  what,  but  I  can  tell  you  a  normal  user 

5  when  they  tried  to  view  it,  win. zip  would  give  you  the  error,  this 

6  file  is  corrupted  you  cannot  view  it.  Using  the  Encase  forensic 

7  software  it  still  allowed  me  to  view  the  contents. 

8  Q.  Okay.  What  was  the  format  of  Department  of  State  cables  in 
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files . zip? 

A.  They  were  HTML. 

Q.  What  is  HTML? 

A.  It's  a  web  page . 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  101  for  Identification.  I'm  handing  the  witness 
what's  been  marked  as  Prosecution  Exhibit  101  for  Identification. 

A.  Yes,  sir. 

Q.  Agent  Shaver,  do  you  recognize  that  image? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  Sir,  this  is  the  contents  of  the  backup  .XLSX  file. 

Q.  And,  just  for  the  Court,  what  is  .XLSX,  what  is  that 

extension? 

A.  That  is  Office  Excel  document. 
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ATC [CPT  MORROW]:  Permission  to  publish  to  the  Court,  Your 

Honor? 

MJ:  Okay. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court.] 

Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

Q.  Agent  Shaver,  is  this  the  top  of  the  Excel  file  or  the 
bottom  of  the  Excel  spreadsheet? 

A.  It  appears  to  be  the  bottom. 

Q.  Let's  go  through  the  tabs.  You  said  there's  a  Wget  tab.  I 
see.  0310-0410  what  does  that  contain? 

A.  Sir,  those  contain  the  Department  of  State  cables  which  had 
been  published  by  the  various  embassies  throughout  the  world  for  the 
March  and  April  2010  timeframe. 

Q.  What  does  the  0510  tab  contain? 

A.  Similar  files.  They  were  Department  of  State  cables 
published  by  various  embassies  throughout  the  world  for  May  2010. 

Q.  When  you  said  Department  of  State  cables,  was  it  the  full 
cables? 

A.  Yes,  sir.  Oh,  a  year? 

Q.  These  are  the  full  cables? 

A.  No,  sir,  these  were,  no,  sir,  they  were  not. 

Q.  What  did  this  spreadsheet  - 
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A.  I'm  sorry.  Sir,  the  - 

Q.  - Show. 

A.  Sure,  the  first  left  number  was  a  tracking  number  created 
by  the  user.  The  date  and  time,  again,  of  the  file  apparently  when 
it  was  retrieved.  The  embassy,  the  embassy's  cable  name  and  the 
embassy's  common  name  and  the  classification  marking. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked 

Prosecution  Exhibit  102  for  Identification. 

Q.  Agent  Shaver,  do  you  recognize  that  document? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  Again,  this  is  a  same  backup  XLSX  file. 

Q.  And  how  is  that  document  created? 

A.  This  is  a,  just  a  screen  shot,  from  Excel. 

Q.  What's  the  number  on  the  top  left? 

A.  The  ID  number,  sir,  is  251288. 

ATC [CPT  MORROW]:  And,  I'm  retrieving  from  the  witness. 

Permission  to  publish.  Your  Honor? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court . ] 

Q.  What  was  the  significance  in  this  investigation  to  251288, 
the  top  left  number? 
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A.  The  WikiLeaks  had  published  251,287  documents. 

ATC[CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

Prosecution  Exhibit  102  for  Identification  into  evidence  as 
Prosecution  Exhibit  102. 

ADC [OPT  TOOMAN] :  No  objection,  ma'am. 

MJ:  All  right.  Let  me  see  it.  Prosecution  Exhibit  1Q2  for 

Identification  is  admitted. 

ATC [CPT  MORROW]:  Let's  talk  about  the  Wget  worksheet.  I'm 

retrieving  what's  been  marked  as  Prosecution  Exhibit  100  for 
Identification.  I'm  handing  Prosecution  Exhibit  100  for 
Identification  to  the  witness. 

Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

Q.  Do  you  recognize  that  image? 

A.  Yes,  sir;  I  do. 

Q.  What  is  this? 

A.  Sir,  it's  a  screen  shot  of  the  Wget  tab  within  the  backup 
of  the  dot  XLXS  file. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court.] 

Q.  Agent  Shaver,  can  you  just  describe  how  someone  would  use 
Wget  or  how  this  might  be  used  in  conjunction  with  the  program  Wget? 
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A.  Yes,  sir.  This  spreadsheet,  what  this  shows  here  is  the 
Wget  command  being  populated.  The  Wget-0  is  the  output  file  is  the 
Department  of  State  name  and  further  there's  the  address  of  the 
website  and  what  to  get. 

Q.  What  do  you  refer  to  when  you  said  the  web? 

A.  The  NCstate.SD.gov. 

Q.  NC  state? 

A.  Yes,  sir,  NCDstate. 

Q.  It's  okay.  Sorry.  Keep  going.  So? 

A.  /message/reference  and  there  would  be  the  Department  of 
State  cable  itself. 

Q.  Now,  how  would  you  use  Wget,  how  would  you  use  a  message 
record  number  to  download  cables  from  the  State  Department? 

A.  That's  how  they're  stored  by  message  record  number.  So 
that's  how  they  would  be  stored.  If  you  would  like  to  retrieve  it, 
you  would  have  to  request  it  by  day.  So  in  this  case  the  first  top 
line  you  can  see  that  the  file  10cavaral53,  that  cable  is  being 
downloaded. 

Q.  Okay.  Now,  where  does  Wget  run  from? 

A.  From  the  command  line. 

Q.  Does  it  run  from  the  server,  the  NCD  server  or  from  the 
computer? 

A.  It's  a  local  program.  It  runs  from  a  local  computer. 
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1  Q.  What  other  —  first  I'm  handing  the  prosecution  exhibits 

2  back  to  the  court  reporter. 

3  What  other  Wget  related  information  did  you  find  on  this 

4  computer? 

5  A.  Within  Windows  prefetch  files  there  showed  there  was 

6  prefetch  files  where  I  captured  Wget  being  run  from  the 

7  Bradley. Manning  user  profile  on  several  occasions. 

8  Q.  What  are  prefetch  files? 

9  A.  Sir,  that's  a  Microsoft  Windows  feature  whereas  the 

10  Microsoft  will  cache  parts  of  the  information  about  a  program  so  the 

11  next  time  you  run  it,  it  will  run  faster. 


12 

Q. 

Now, 

you  said  from  different 

locations? 

13 

A. 

Yes, 

sir . 

14 

Q. 

What 

do  you  mean  by  that? 

15 

A. 

The 

prefetch  files,  part  of. 

what  it  captures,  it  also 

16  captures  the  path  of  the  program.  Within  the  prefetch  file  there  are 

17  several  prefetch  files  which  will  run  from  various  locations  within 

18  the  Bradley. Manning  user  profile.  So  the  Wget  was  copied  to  various 

19  folders  within  and  then  run. 

20  Q.  Why  would  Wget  be  run  from  different  folders? 

21  A.  To  capture  the  data  faster. 

22  Q.  And  when  did  Wget  appear  in  PFC  Manning's  user  profile  on 

23  the  computer? 
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1  A.  It  first  appeared  in  March  2007  or  March  7th,  2010. 

2  Q.  And  but  was  that  under  his  user  —  did  you  find  that  in  the 

3  user  profile? 

4  A.  No,  sir.  I  found  that  through  the  prefetch.  The  file  Wget 

5  was  present  in  the  allocated  space  in  the  Bradley . Manning  user 

6  profile,  I  believe  it  was  4  May  2010. 

7  Q.  What  does  the  presence  of  Wget  in  a  prefetch  file  in  early 

8  March  tell  you  when  the  Wget  program  was  put  on  the  computer  and 

9  formated? 

10  A.  It  means  it  was,  it  was  there  prior,  it  was  obviously  on 

11  the  computer  within  again  the  Bradley . Manning  user  profile  in  March 

12  2010,  and  it  was  physically  located,  created  in  May  2010.  So  that 

13  means  the  file  was  copied  and  placed  there  again. 

14  Q.  What  other  findings  did  you  make  regarding  the  Department 

15  of  State  information? 

16  A.  Sir,  within  the  Windows  temp  folder  there  were  two  files, 

17  both  have  the  SID,  the  security  identifier  of  the  user  profile 

18  Bradley .Manning  and  these  two  files  each  contain  several  hundred 

19  complete  Department  of  State  cables.  They  were  in  a  CSV  format  and  - 

20  -  but  however  they  had  been  Base64  encoded. 

21  Q.  Let's  start  first,  what  is  the  Windows  temp  folder? 

22  A.  That  is  a  default  folder  for  the  Windows  operating  system 

23  to  write  temporary  files  to. 
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Q.  And  you  said  CSV  file,  what  is  a  CSV  file? 

A.  Sir,  that's  comma  separated  value. 

Q.  Why  would  someone  use  a  CSV  file? 

A.  That's  to,  the  ease  of  moving  data  around.  CSV  is  a 
standard  format  for  that. 

Q.  You  also  mentioned  Base64? 

A.  Yes,  sir. 

Q.  What  is  Base64? 

A.  That's  a  method  of  encoding.  Encoding  is  —  it's  a  way  of 
transposing  data  to  make  it  easier  to  move  it.  It  compacts  it,  but 
it  also  makes  it  easier. 

Q.  Why  would  someone  convert  HTML  to  Base64  and  embed  it  in 

CSV? 


A.  A  CSV  is  a  comma  separated  value.  Department  of  State 
cables  are  sentences  so  they  would  have  commas,  periods,  things  like 
that.  So  the  comma  separated  value  file  only  works  if  you  use  commas 
in  the  right  location.  If  there's  extra  commas,  everything  gets 
spread  out.  It  doesn't  line  up.  It  doesn't  work  right.  By  encoding 
it  with  Base64  you  alleviate  that  problem.  So  it's  only  the  commas 
that  you  tell  it  to  be  there. 

Q.  And  did  you  search  the  unallocated  --  this  was,  now  I 
believe  we  have  been  talking  about  allocated  space,  but  did  you 
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1  search  the  unallocated  space  for  the  Department  of  State  information? 

2  A.  Yes,  sir. 

3  Q.  What  did  you  find? 

4  A.  Sir,  I  found  over  100,000  complete  and  partial  Department 

5  of  State  cables  in  the  unallocated  space. 

6  Q.  What  do  you  mean  by  complete  and  partial? 

7  A.  Well,  some  were  complete,  had  not  been  overwritten.  Other 

8  ones  had  partially  been  overwritten,  so  part  of  the  file  existed  but 

9  not  the  complete  file. 

10  Q.  I  want  to  talk  about  the  restore  points  on  the  computer. 

11  First,  what  is  a  restore  point? 

12  A.  Sir,  restore  point  is  a  Microsoft  concept  to  make  sure  that 

13  your  computer  did  not  break.  So,  for  example,  let's  say  you  load  a 

14  piece  of  software.  It  will  create  a  restore  point  prior  to 

15  installing  the  software  so  if  there's  a  problem,  you  can  go  back  in 

16  time  and  your  computer  will  work  again.  If  you  plug  a  new  hard  drive 

17  in  and  it  doesn't  work  and  you  activate  the  restore  point  and  go 

18  back  in  time  and  it  was  like  the  hard  drive  was  never  actually 

19  installed  so  your  computer  continues  working. 

20  Q.  And  what  does  your  examination  of  the  restore  points  tell 

21  you  about  the  computer  generally? 
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A.  It  would  show  things  like,  it  would  show  file  names.  Files 
that  either  did  exist  or  had  existed  at  one  time  within  the  various 
user  profiles. 

Q.  Did  the  restore  points  shed  any  light  on  the  date  that  the 
computer  might  have  been  imaged? 

A.  Yes,  sir. 

Q.  Please  explain. 

A.  The  computer  is  approximately  imaged  in  early  March  2010. 

Q.  And  what,  if  a  computer  has  been  imaged  in  March  2010,  what 

does  that  mean  to  you  as  the  forensic  examiner? 

A.  Since  it  had  been  reimaged,  everything  really  pertinent, 
all  the  allocated  files  prior  to  that  were  now  unallocated  or 
overwritten. 

Q.  Agent  Shaver,  I  want  to  talk  about  the  contents  of  the 
Farah  folder  we  discussed  earlier.  Did  you  find  any  documents 
related  to  the  —  that  were  contained  from  the  Farah  folder? 

A.  I  found  some  deleted  jpegs  for  graphic  image  files  and  PDF 
files . 

Q.  What  about  just  evidence  that  the  files  had  been  clicked  on 
or  something  like  that? 

A.  Yes,  sir,  within  the  index.dat  file  there  are  several 
hundred  files  named,  the  naming  convention  would  suggest  there  was  a 
Farah  investigation. 


8358 


c 


o 


1  Q.  What  was  the  date  of  the  activity  on  the  index.dat  file? 

2  A.  April  10th,  2010. 

3  Q.  Is  the  index.dat  file,  is  it  easy  to  find  as  a  regular  user 

4  of  the  computer? 

5  A.  No,  sir,  that's  hidden.  It's  a  hidden  system  file.  It's  a 

6  hidden  file. 

7  Q.  And  in  what  form  does  the  computer  store  the  index.dat 

8  time? 

9  A.  It's  a  database.  So  to  extract  information  out  you  need  a 

10  tool,  another  program  to  extract  it  to  make  it  easier  to  read  for 

11  people. 

12  Q.  And  in  this  case,  what  did  you  do  with  the  index.dat  file? 

13  A.  I  extracted  it  and  put  it  into  Excel  for  ease  of  review. 

14  Q.  When  you  extracted  and  put  it  into  Excel  did  you  alter  the 

15  information  in  any  way? 

16  A.  No,  sir,  I  just  —  No,  sir,  I  did  not. 

17  Q.  If  you  had  printed  the  entire  index.dat  file  in  this  Excel 

18  version,  how  long,  how  many  printed  pages  would  that  be? 

19  A.  A  lot,  sir.  Several  hundred  probably. 

20  ATC[CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

21  Prosecution  Exhibit  128  for  Identification.  I'm  handing  the  witness 

22  what's  been  marked  as  Prosecution  Exhibit  128  for  Identification. 

23  Q.  Just  take  a  few  moments  to  look  at  it. 
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[There  was  a  brief  pause  while  the  witness  reviewed  the  exhibit.] 

Q.  Do  you  recognize  that  document? 

A.  Yes,  I  do. 

Q.  What  is  it? 

A.  Sir,  that  is  an  Excel  spreadsheet  I  created.  It's  an 
extract  summary  of  the  index.dat  pertaining  to  April  10th. 

Q.  And  how  did  you  create  this  summary  of  the  index.dat? 

A.  Sir,  I  filtered  on,  filtered  on  April  2010. 

ATC [CPT  MORROW]:  And  permission  to  publish  with  the  Court, 

Your  Honor? 

MJ:  Go  ahead. 

Q.  I'm  going  to  publish  just  the  last  page  of  the  Exhibit. 

But  Agent  Shaver,  I'm  just  publishing  the  last  page,  but  I'd  like  you 
to  just  describe  what  the  activity  you  observed  in  the  index.dat  file 
on  this  date  is.  What  are  you  observing? 

A.  Sir,  left  to  right  we  have  obviously  a  line  item  number, 
the  next  one  is  a  date  in  military  time,  GMT  hours.  It's  --  And  it 
shows  you  visited.  The  Bradley .Manning  user  profile,  visit  a  file 
called  —  located  in  the  documents  and  settings, 

Bradley . Manning/mydocuments/downloadsf oldertab_Dtab  D/appendix  - 

Q.  Well  let's  make  this  shorter.  Let's  look  at  the  last  line 
of  this  line  247. 

A.  Yes,  sir. 
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1  Q.  Of  the  line  that  ends  in  Farah.zip? 

2  A.  Correct. 

3  Q.  Describe  the  activity  observed  from  that  line  and  up 

4  leading  to  again  Farah.zip. 

5  A.  Correct.  Okay,  sir,  apparently  some  files  were  —  it  shows 

6  three  files.  Three  PDF  files  were  visited  at  1659  hours  and  at  1705 

7  a  file  called  Farah.zip  was  visited  by  the  Bradley .Manning  user 

8  profile.  The  Farah.zip  is  in  the  downloads  folder  and  so  are  the 

9  other  documents. 

10  Q.  Now,  if  you  look  at  the  entire  exhibit,  128  for 

11  Identification  in  conjunction,  I  mean,  if  you  flip  through  every 

12  page,  what  does  the  activity  show  you  as  you  —  what  does  the 

13  index.dat  capture? 

14  A.  It's  capturing  a  user  —  the  user  account  Bradley . Manning 

15  first  visiting  a  website  non-REL.CIE.CENTCOM.smil.mil.  Then  shortly 

16  there  later  a  lot  of  files  locally  on  the  computer. 

17  Q.  How  can  you  tell  that  they're  locally  on  the  computer? 

18  A.  Again,  sir,  the  file,  if  it's  local  it  would  be  user  name 

19  at  file.  If  it  was  a  web  page,  it  would  be  user  name  at  http,  that 

20  means  web. 

21  ATC [CPT  MORROW]:  Your  Honor,  at  this  time  the  prosecution 

22  moves  to  admit  Prosecution  Exhibit  128  for  Identification  into 

23  evidence. 
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1  ADC [CPT  TOOMAN] :  No  objection,  Your  Honor. 

2  MJ:  Prosecution  Exhibit  128  is  admitted. 

3  Q.  Now,  if  I  could,  I'd  like  to  retrieve  Prosecution  Exhibit 

4  128  again.  Agent  Shaver,  in  this  time  period  10  April  2010,  if  you 

5  would  just  look,  we  talked  about  a  BE22PAX.zip  earlier.  Do  you 

6  remember  that? 


7 

A. 

Yes,  sir. 

8 

Q. 

Do  you  see  any  videos  locally  on 

the  computer  at  this  time 

10 

A. 

No,  sir. 

11 

Q. 

-  looking  through  the  index.dat  file? 

12 

A. 

No,  sir. 

13 

Q. 

Did  you  look  for  BE22PAX.zip? 

14 

A. 

I  have  previously.  Yes,  sir.  It 

.  is  not 

there . 

15 

Q. 

Thank  you.  Now,  Agent  Shaver,  I 

want  to 

transition  from 

16 

logs  collected  from  the  CENTCOM  SharePoint 

server. 

Did  you  examine 

17 

logs  from 

that  server? 

18 

A. 

Yes,  sir,  I  did. 

19 

Q. 

When  was  the  first  date  captured 

by  the 

CENTCOM  SharePoint 

20 

SharePoint  logs? 

21 

A. 

It  would  be  1  December  2009. 

22 

Q. 

So  you  didn't  have  anything  prior 

:  to  1  December  2009? 

23 

A. 

No,  sir. 
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Q.  Now,  what  type  of  information  was  captured  in  the  CENTCOM 
SharePoint  logs? 

A.  These  are  Microsoft  Internet  Information  Service  logs. 
They're  standard  Windows  logs.  They  capture  an  IP  address,  a  local 
IP  address  making  a  request,  date  and  time,  and  the  activity,  the 
file  requested. 

Q.  Now,  when  you  say  a  local  IP  address,  what  do  you  mean  by 

that? 

A.  Sir,  these  logs  have  been  configured  to  capture  local  IP 
not  remote  IPs.  So,  for  example  in  this  case  a  .22  or  .40  had 
connected  that  would  not  show  up.  It  would  be  a  local  IP  to  the 
network. 

Q.  And  when  you  reviewed  the  CENTCOM  SharePoint  logs,  did  you 
observe  any  activity  on  10  April  2010,  in  those  logs? 

A.  I  did,  sir. 

Q.  What  did  you  observe  in  the  logs? 

A.  There  was  a  large  download  of  files. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  129  for  Identification.  I'm  handing  the  witness 
what's  been  marked  as  Prosecution  Exhibit  129  for  Identification. 

Q.  Take  a  few  moments,  Agent  Shaver,  if  you  would. 

[There  was  a  brief  pause  while  the  witness  reviewed  the  exhibit.] 

Q.  Do  you  recognize  that  document? 
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1  A.  Yes,  sir. 

2  Q.  What  is  it? 

3  A.  This  is  a  Excel  spreadsheet  I  created  from  the  CENTCOM  logs 

4  pertaining  to  the  downloads  on  10  April  2010. 

5  Q.  And  approximately  how  many  lines  of  activity  are  in  this 

6  document? 

7  A.  Sir,  there  are  334  lines. 

8  ATC [CPT  MORROW]:  I'm  retrieving  the  exhibit  from  the  witness. 

9  Your  Honor,  permission  to  publish? 

10  MJ:  Go  ahead. 

11  [There  was  a  brief  pause  while  the  assistant  trial  counsel  published 

12  the  exhibit  to  the  witness  and  the  Court.] 

13  Q.  Agent  Shaver,  I'm  just  showing  the  last  page  of  the 

14  exhibit.  Can  you  describe  the  activity  from  left  to  right  generally? 

15  A.  Sure.  Left  to  right,  the  number  on  the  left  is  the  line 

16  item  number,  the  date  and  time.  The  server  IP.  And  the  action,  the 

17  action,  the  download  —  the  download  file  was  downloaded. 

18  Q.  You  reviewed  all  the  activity  in  the  CENTCOM  SharePoint 

19  logs  on  10  April.  Is  that  correct? 

20  A.  Yes,  sir. 

21  Q.  I'll  hand  you  back  Prosecution  Exhibit  129  for 

22  Identification.  If  you  would,  just  please  review  or  if  you  recall 
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from  memory,  were  any  videos  downloaded  from  the  CENTCOM  Sharepoint 
Server  at  this  time? 

A.  No,  sir,  not  at  this  point. 

Q.  How  do  you  know  that? 

A.  Sir,  I  searched  for  them. 

Q.  What  were  you  using  to  search? 

A.  BE22.zip,  they  were  stored  on  the  file  as  a  zip  file  not  as 
a  movie  file. 

ATC [CPT  MORROW]:  Your  Honor,  at  this  time  the  prosecution 

moves  to  admit  Prosecution  Exhibit  129  for  Identification  into 
evidence . 

ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

MJ:  Prosecution  Exhibit  129  for  Identification  is  admitted. 

Q.  Agent  Shaver,  you  said  earlier  that  you  recovered  or  found 
numerous  JPEGs  in  the  unallocated  space.  Is  that  correct? 

A.  Yes. 

Q.  What  is  that? 

A.  Sir,  that's  a  graphic  image  file,  a  picture. 

Q.  Do  you  have  to  use  any  special  tool  to  find  a  JPEG? 

A.  Yes,  sir. 

Q.  What  do  you  use? 

A.  I  would  have  used  EnCase  to  search  for  these  things. 
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Q.  When  you  were  searching  the  unallocated  space,  did  you  find 
any  video  files  in  the  unallocated  space? 

A.  No,  sir. 

Q.  Did  you  find  any  video  files  in  the  allocated  space? 

A.  Yes,  sir. 

Q.  What  did  you  find? 

A.  I  found  several  movies,  two  of  which  were  dealing  with  the 
collateral  murder. 

Q.  Did  you  find  any  of  the  videos  that  were  located  on  the 
CENTCOM  Sharepoint  server? 

A.  No,  sir,  I  did  not. 

Q.  Did  you  find  any  of  the  videos  located  on  the  CENTCOM 
SharePoint  Server  in  the  unallocated  space? 

A.  No,  sir;  I  did  not. 

Q.  Agent  Shaver,  I'd  like  to  transition  to  the  other  SIPRNET 
computer.  What  was  the  IP  address  on  that  computer? 

A.  .40,  sir. 

Q.  What  was  your  process  for  the  examination  of  this  computer? 

A.  Sir,  I  verified  the  hash  values  matched  and  I  conducted  my 
examination  to  answer  the  questions. 

Q.  Were  you  working  off  an  image? 

A.  Yes,  sir,  I  was  working  off  an  image. 

Q  What  was  the  configuration  of  the  computer? 
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A.  Sir,  it  was  a  Windows  computer.  It  was  a  United  States 
Army  computer.  It  was  on  a  domain.  There  was  a  Bradley . Manning  user 
profile  present. 

Q.  And  did  this  computer  have  CD  burning  tools? 

A.  Yes,  sir;  it  did. 

Q.  And  I  didn't  ask  this  question  before,  but  did  the  .22 
computer  have  CD  burning  tools? 

A.  Yes,  sir. 

Q.  What  was  the  CD  burning  tool? 

A  Roxio. 

Q.  What  is  Roxio? 

A.  Sir,  that  is  a  CD  burning  utility,  it's  a  program  to  burn 

CDs. 

Q.  What  happens  to  the  disk  when  you  burn  —  What  happens  when 
you  burn  a  disk  using  Roxio?  How  does  the  Roxio  program  name  a  disk? 

A.  Sir,  by  default  it  names  it  by  a  date  time  group.  So  by 
default  it's  two-digit  year,  two-digit  month  and  day,  underscore, 
two-digit  hour,  two-digit  minute. 

Q.  And  that's  the  default  setting? 

A.  Yes,  sir. 

Q.  Now,  how  do  you  know  that  that's  the  default  setting  for 
the  way  Roxio  names  a  disk? 
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A.  On  these  computers?  Sir,  I  converted  the  .22  into  a 
virtual  machine  and  then  I  logged  in  and  then  I  burned  a  disk  and 
then  I  examined  the  naming  structure  of  the  disk. 

Q.  And  again,  just  this  was  from  a  long  time  ago,  but  what  is 


a  virtual 

machine? 

A. 

Sir,  a  virtual  machine  is  just  another  computer  running 

virtually 

within  a  host  computer.  So  if  I'm  running  a  Windows 

computer  as  a  host,  I  can  run  a  Linux  or  Macintosh  computer  as  a 
guest . 


Q 

So  you  burned  a  CD  using  Roxio  through  a  virtual  machine? 

A. 

Yes,  sir. 

Q. 

And  on  the  .40  computer,  what  were  you  looking  for? 

A. 

Sir,  I  was  looking  for  any  of  the  similar  items  I  found  on 

the  .22. 

Were  there  any  Department  of  State  cables  and  things. 

documents 

along  those  lines. 

Q. 

And  what  did  you  find? 

A. 

Sir,  within  the  unallocated  space  I  found  a  CSV  file  that 

contained  over  100,000  complete  Department  of  State  cables  in  Base64 


format . 

Q. 

And  you  said  this  was  in  the  unallocated  side? 

A. 

Yes,  sir. 

Q. 

And  what  does  Base64  look  like  to  the  human  eye? 

A. 

Gibberish.  A  through  F,  1  through  8  so. 
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1  Q.  And  these  are  full  cables? 

2  A.  Yes,  sir. 

3  Q.  Now,  by  just  looking  at  the  Base64,  were  you  able  to  tell 

4  what  the  original  form  of  the  file  was? 

5  A.  No,  sir.  I  could,  I  was  able  to  decode  them  from  Base64 

6  back  to  regular  text  and  view  the  contents,  but  the  original  source 

7  at  this  point  I  could  not  tell. 

8  Q.  And  how  would  someone  convert  let's  say  we're  talking  about 

9  a  web  page,  HTML,  how  would  someone  convert  a  web  page  to  Base64? 

10  A.  Because  of  the  sheer  volume  of  them  all,  I  believe  a  script 

11  was  used.  A  script  would  be  an  automated  step  program,  small 

12  program. 

13  Q.  Did  you  find  a  script  on  this  computer,  on  the  .40  computer 

14  that  would  convert  HTML  to  a  Base64? 

15  A.  No,  sir,  I  did  not. 

16  Q.  Based  on  your  examination  of  both  computers,  the  .40  and 

17  .22  did  one  appear  to  be  used  more  often  by  PFC  Manning? 

18  A.  Yes,  sir.  The  .22  appeared  to  have  more  activity. 

19  ATC [CPT  MORROW]:  One  moment.  Your  Honor.  No  further 

20  questions.  Your  Honor. 

21  MJ:  Cross-examination? 

22  ADC [CPT  TOOMAN] :  Yes,  ma'am. 

23 
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CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Agent  Shaver,  good  afternoon  again. 

A.  Good  afternoon,  sir. 

Q.  Agent  Shaver,  I'd  like  to  talk  first  about  Wget .  You  spoke 
about  Wget  on  direct  examination? 

A.  Yes,  sir. 

Q.  Let's  talk  about  it  some  more. 

A.  Sure. 

Q.  Now,  you  would  agree  with  me  that  Wget  does  not  give  a  user 
access  to  information  that  they  otherwise  wouldn't  have  access  to, 
correct? 

A.  Correct. 

Q.  So  if  a  user  ever  uses  Wget  on  the  NCD  database,  for 
example,  using  Wget  isn't  going  to  allow  that  user  to  grab  something 
they  normally  wouldn't  be  able  to  see? 

A.  You  are  correct. 

Q.  And  it  wouldn't  —  Wget  wouldn't  allow  the  user  to 
circumvent  any  sort  of  restrictions  that  the  NCD  may  place  on  the 
user? 

A.  Correct. 

Q.  So  you  would  agree  with  me  that  Wget  doesn't  give  a  user 
any  more  access  than  they  would  have  normally? 


8370 


o 


Q 


1  A.  Correct. 

2  Q.  Now,  you  spoke  about  your  examination  on  the  22  machine  and 

3  the  40  machine  and  you  did  a  complete  scrub  of  those  machines, 

4  correct? 

5  A.  Yes,  sir. 

6  Q.  You  spoke  about  some  of  the  machines  you  were  looking  for. 

7  You  were  also  looking  for  what's  known  as  the  WikiLeaks  most  wanted 

8  list,  correct? 


9 

A. 

Yes, 

sir. 

10 

Q. 

Something 

that  when  you  were 

going  through  both  the  22  and 

11 

the  40 

machine, 

.  that 

's  something  you  were  looking  for? 

12 

A. 

Yes, 

sir . 

13 

Q- 

And  let ' s 

talk  about  the  22 

machine  first.  As  you  went 

14  over  that  byte  by  byte  and  bit  by  bit  you  never  found  any  evidence 

15  that  PFC  Manning  had  seen  that,  correct? 

16  A.  Sir,  I  apologize,  I  don't  remember  exactly  what  was  on  the 

17  entire  list.  Do  you  have  that  - 

18  Q.  I  guess  let  me  clarify,  I'm  sorry.  The  actual  list  itself? 

19  A.  Right.  Oh,  no,  sir;  I  did  not  see  the  list. 

20  Q.  So  there  was  no  evidence  that  on  the  22  machine  a  user  had 

21  viewed  that  list? 

22  A.  Correct. 

23  Q.  No  evidence  that  a  user  ever  had  saved  that  list? 
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1  A.  Yes,  sir. 

2  Q.  Or  printed  it? 

3  A.  Correct. 

4  Q.  Or  done  anything  with  it? 

5  A.  Correct. 

6  Q.  And  the  same  would  be  true  for  the  40  machine  as  well, 

7  correct? 

8  A.  Yes,  sir. 

9  Q.  And  the  same  would  be  true,  we  have  heard  testimony  about  a 

10  number  of  Tweets  from  WikiLeaks,  you  would  agree  there's  no  forensic 

11  evidence  that  on  the  22  machine  that  a  user  of  that  machine  saw  any 

12  Tweets  from  WikiLeaks? 

13  A.  There  should  not  have  been  since  it's  SIPRNET  and  all. 

14  Q.  Likewise,  the  40  machine? 

15  A.  Correct. 

16  Q.  No  evidence  of  viewing  any  Tweets? 

17  A.  Correct,  sir. 

18  Q.  I  want  to  talk  about  the  Farah  video  which  you  testified 

19  about  at  length  on  direct.  You  mentioned  that  you  saw  some 

20  references  to  the  Farah  video  in  index.dat  file,  correct? 

21  A.  No,  sir. 

22  Q.  What  did  you  say  about  the  index.dat  registry  in  Farah? 

23  A.  The  Farah  folder. 
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Q  Okay. 

A.  I  did  not  see  anything  pertaining  to  the  like  the 
BE22PAX.zip  files. 

Q.  Okay.  In  the  index.dat  there  was  evidence  that  the  user  of 
the  22  machine  had  viewed  things  related  to  Farah? 

A.  Yes,  sir. 

Q.  Correct?  Okay.  And  have  you  ever  viewed  JPEGs? 

A.  Yes,  sir. 

Q.  PDFs? 

A.  Yes,  sir. 

Q  PowerPoints? 

A.  Yes,  sir. 

Q  But  there  were  no  files  you  would  associate  with  videos? 

A.  Correct. 

Q.  That  was  on  10  April? 

A.  Yes,  sir. 

Q.  And  there  was  no  other  evidence  on  the  22  machine  of 
viewing  things  or  using  things  related  to  Farah,  correct? 

A.  Correct. 

Q.  So  only  on  10  April,  right? 

A.  Yes,  sir. 

Q .  And  - 

A.  I'm  sorry,  sir,  but  there's  - 
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Q.  Okay,  in  the  Farah  folder? 

A.  Correct. 

Q.  Okay.  Now,  you  also  talked  about  CENTCOM  server  logs  and  a 
number  of  downloads  and  those  downloads  were  on  10  April  as  well, 
correct? 

A.  Yes,  sir. 

Q.  And  those  again  were  PDFs? 

A.  Yes,  sir. 

Q.  JPEGs? 

A.  Yes,  sir. 

Q.  PowerPoints? 

A.  Yes,  sir. 

Q.  Not  videos? 

A.  Correct. 

Q.  Now,  when  you  looked  at  the  CENTCOM  logs,  you  also  looked 

at  —  you  had  the  ability  to  look  and  see  how  many  times  those  zip 
files,  those  video  zip  files  had  been  viewed,  correct? 

A.  Correct. 

Q.  There  were  three  zip  files  on  the  CENTCOM  server? 

A.  Correct. 

Q.  One  of  them  was  BE22PAX.zip.  Is  that  right? 

A.  Yes,  sir. 

Q.  One  of  them  was  BE22STKl.zip? 
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A.  Sir  - 

Q  Does  that  sound  familiar? 

A.  It  does  sound  familiar,  yes,  sir. 

Q.  And  BE22strike2.zip? 

A.  That  sounds  right. 

Q.  Agent  Shaver,  when  you  were  doing  your  examination,  were 
you  able  to  determine  how  large  those  files  were? 

A.  As  I  recall,  sir,  I'm  sorry  I  don't  know  exact  numbers,  but 
about  30  meg,  31  megs  apiece. 

Q.  So  each  individual  file  was  around  30  megs? 

Correct . 

Cumulatively  around  90  megs? 

Yes,  sir. 

MJ:  What  is  a  meg? 

Q.  Would  you  please  - 

A.  Ma'am,  that's  a  file  size,  megabyte. 

MJ:  Okay. 

Q.  Thank  you.  Agent  Shaver.  Now,  you  found  two  instances,  and 

19  if  you  could,  again,  just  remind  us  how  —  sort  of  the  timeframe  for 

20  those  CENTCOM  server  logs.  When  did  those  - 

21  A.  1  December. 

22  Q.  1  December. 

23  A.  I  believe  they  ended  in  July  2010. 
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Q.  Okay.  So  from  1  December  to  July  2010,  you'd  agree  with  me 
when  you  reviewed  those  logs  there  were  only  two  instances  of  those 
files,  those  files  —  those  zip  files  being  viewed? 

A.  Yes,  sir. 

Q.  Okay.  And  one  of  those  was  on  28  January  2010? 

A.  Yes,  sir. 

Q.  And  one  of  them  was  on  23  February  2010? 

A.  Correct. 

Q.  And  you  have  the  ability  through  those  logs  to  determine 
the  IP  address  of  the  person  requesting  or  the  computer  requesting, 
correct? 

A.  No,  sir. 

Q.  No.  Okay.  So  you  weren't  able  to  determine  who  or  what 
computer  actually  viewed  those? 

A.  Correct. 

Q.  Okay.  Now,  I  want  to  talk,  again,  about  or  continue 
talking  about  I  guess  we'll  transition  back  to  the  22  machine. 

A.  Okay. 

Q.  And  I  want  to  talk  to  you  about  the  unallocated  space 
there.  Or  maybe  not  dealing  with  unallocated  space.  We'll  talk 
about  the  22  machine  generally.  You  would  agree  with  me  that  there 
was  a  file  path  that  you  could  see  on  the  22  machine  that  was,  that 
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showed  the  user  of  the  22  machine  accessing  the  T-drive.  There  were 

instances  where  you  could  see  - 

A.  Oh,  yes,  sir. 

Q  -  that  user  accessing  the  T-drive.  And  you  found  an 

instance  where  there  was  a  file  path  T:/BDE, 

brigade, /specialstaf f /FEC/TACP/Trainingcompleteby20December  2009? 

A.  Correct. 

Q.  And  you  and  —  slash  —  okay.  So  that  was  on,  that  file 
path  you  found  the  22  computer  accessing  that  on  17  April,  correct? 

A.  That  sounds  right,  sir. 

Q.  Okay.  And  inside  that  folder  you  would  agree  with  me  there 
was  a  file  called  TGT1.WMV? 

A.  Correct. 

Q.  Could  you  explain  for  the  court  what  WMV  file  is  generally? 
A.  It's  generally  a  movie  file. 

Q.  Could  you  tell  if  that  particular  file  TGT1  was  a  movie 

file? 

A.  Just  based  off  the  name? 

Q.  Just  based  off  the  —  and  the  extension? 

A.  It  appear  to  be  based  off  of  the  extension. 

Q.  Were  you  actually  able  to  view  that  file? 

A.  No,  sir. 
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Q.  You  weren't.  Okay.  But  based  on  the  extension,  you  would 
associate  that  with  some  sort  of  video? 

A.  Correct. 

Q.  Okay.  Now,  you  would  agree  with  me  that  the  forensic  of 
the  22  machine  show  that  TGT1.WMV  file  in  two  locations  on  the  22 
machine? 

A.  Correct. 

Q.  One  of  those  locations  was  in  the  documents  and  settings  on 
C  drive,  documents  and  settings,  Bradley . Manning,  my  documents  and 
then  forward  slash  Farah,  forward  slash  Farah? 

A.  Correct. 

Q.  And  that  was  the  same  file,  TGTl.wmv? 

A.  It  appears  to  be,  yes,  sir. 

Q.  Okay.  And  then  the  other  location  where  you  found  that 
file  was  in,  again  the  C  drive  documents  and  settings  again 
Bradley. Manning  my  documents  forward  slash  yada,  forward  slash  Farah? 

A.  Correct. 

Q.  Again,  that  was  TGTl.wmv? 

A.  Yes,  sir. 

Q.  A  file  normally  associated  with  a  video? 

A.  Correct. 

Q.  So,  you  would  agree  with  me  that  the  22  machine,  it  would 
appear  took  this  file  off  of  the  T-drive,  the  shared  drive  of  the  — 
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that  the  user  would  have  had  access  to  and  moved  it  to  two  folders  on 
that  user's  computer  that  were  called  Farah? 

A.  Appears  so. 

Q.  I  want  to  go  back  to  the  actual  file  path.  You  would  agree 
with  me  that  on  the  T-drive,  that  long  file  path  that  we  have  here 
brigade  special  staff,  FEC,  etcetera,  the  last  portion  of  that  is 
forward  slash  Farah? 

A.  Correct. 

Q.  So  the  22  machine,  we  could  even  say  the  user 
Bradley .Manning,  accessed  the  shared  drive,  accessed  the  shared  drive 
—  accessed  a  share  drive  with  —  called  Farah,  at  least  in  part, 
there  was  a  movie  file  in  there,  would  you  agree  with  that? 

A.  Yes. 

Q.  Bradley .Manning  user  account,  then  took  that  file  and 
placed  it  on  the  machine,  the  22  machine  in  two  locations? 

A.  Yes,  sir. 

Q.  And  both  of  those  locations  had  Farah  in  the  title? 

A.  Correct. 

Q.  Now,  you  also  found  reference  to  this  particular  file,  TGT1 
in  the  dot  22s  registry,  correct? 

A.  Correct. 

Q.  Could  you  explain  for  the  court  what  it  means  when  you  find 
something  in  the  registry? 
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MJ:  What  was  it  you  found  in  the  registry? 

ADC [CPT  TOOMAN] :  The  TGT1.WMV. 

A.  Which  registry  file,  the  user? 

Q.  The  user's  registry  file? 

A.  Yes,  sir.  Each  user  account  has  a  file  called  NTuser.dat. 
If  you  open  the  documents,  there's  a  lot  of  information  within  the 
NTuser.dat.  It  maintains  information  such  as  the  last  10  Word 
documents  you  opened.  One  of  the  files  there  was  the  TGT1  appeared 
to  be  accessed  as  well. 

Q.  So  the  appearance  of  the  TGTl.wmv  file  in  the  registry 
would  suggest  that  it  was  played? 

A.  Yes.  Reviewed. 

Q.  And  —  Reviewed.  Were  you  able  to  tell  what  application 
was  used  to  view  that? 

A.  I  believe  it  was  a  - 

Q.  Was  it  Windows  Media  Player? 

A  I  believe  so,  yes,  sir.  Sorry. 

Q.  Okay.  And  could  you  explain  for  the  Court  what  one 
generally  uses  Windows  Media  Player  for? 

A.  Playing  videos  or  audio. 

Q.  Okay.  So  we  have  the  user  Bradley .Manning  playing  the 
TGTl.wmv  file  in  an  application  that's  typically  used  to  view  videos 

A.  Right. 
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Q.  That  was  on  September  —  or  I'm  sorry,  17  April  2010? 

A.  I  —  I  don't  recall  the  date.  I'm  sorry.  That  sounds 

reasonable . 

ADC [CPT  TOOMAN] :  Your  Honor,  I'm  going  to  retrieve  what's 

been  marked  as  Defense  Exhibit  Golf,  I  believe  for  Identification. 

Agent,  would  you  please  head  over  to  the  panel  box.  This 
actually  is  Defense  Exhibit  Golf  for  ID.  I'm  handing  the  exhibit  for 
identification  to  the  witness. 

Q.  Agent  Shaver,  do  you  recognize  that  document? 

A.  Yes,  sir;  I  do. 

Q.  What  is  it? 

A.  Sir,  this  is  a  Excel  spreadsheet  I  created  from  the 
Intelink  logs  —  how  far  can  I  go?  I'm  sorry,  I'm  a  little  confused 
how  far  detail  you  want  me  to  go  on  this. 

Q.  You  can  say  more. 

A.  It  contains  —  Based  off  the  key  words  Farah  and  CENTCOM. 

Q.  How  do  you  know  that  that's  what  that  document  is? 

A.  I  created  it,  sir. 

Q.  How  did  you  go  about  creating  it? 

A.  Sir,  I  filtered,  again  it  was  an  Excel  spreadsheet.  So  I 
filtered  on  the  key  words  Farah  and  CENTCOM. 
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Q.  So  these  are  the  Intelink  logs.  We  dealt  with  these  a 
little  bit  yesterday  and  now  we  have  got,  and  again,  the  Intelink 
logs  are  like  Google  searches  on  the  SIPR  machine,  correct? 

A.  Correct. 

Q.  So  what  you've  done  here  is  you've  taken  the  Intelink  logs 
and  these  are  the  full  logs,  right? 

A.  Yes,  sir. 

Q.  Not  just  the  gueries  but  the  full  logs? 

A.  Yes,  sir. 

Q.  And  you've  taken  those  and  you've  filtered  them  to  grab  any 
actions  that  deal  with  Farah  and  CENTCOM? 

A.  Both  key  words,  yes,  sir. 

Q.  Okay.  Both  key  words.  So  —  Okay.  Now,  looking  at  that, 
would  you  agree  with  me  that  at  no  point  did  the  or  the  22  or  the  .40 
user  view  any  videos  on  the  CENTCOM  server  that  dealt  with  Farah? 

Take  a  moment  to  look  through  that  if  you  need  to. 

A.  Could  you  repeat  your  question? 

Q.  I  will  repeat  the  question. 

A.  Thank  you. 

Q.  Would  you  agree  with  me  that  there's  no  evidence  that  the 
22  or  .40  machine  or  I  should  say  the  user  Bradley .Manning,  viewed 
anything,  any  videos  that  were  associated  with  Farah? 

A.  You  are  correct. 
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Q.  What  was  the  date  range  on  those  Intelink  logs? 

A.  One  moment,  sir.  [Reviewing  the  exhibit.]  It  appears  to 
be  22  March  2010. 

Q.  And  the  Intelink  logs  generally  speaking  would  include 
what,  what  range  of  dates? 

A.  November  2009  to  May  2010. 

ADC [CPT  TOOMAN] :  I'm  retrieving  the  exhibit.  Agent  Shaver, 

you  can  head  back.  Your  Honor,  we  would  offer  this  exhibit  as 
evidence  at  this  time? 

MJ:  Can  I  ask  you  to  repeat  your  answer.  What's  the  22  March 

2010?  What  was  the  question  and  answer? 

ADC [CPT  TOOMAN]:  The  question  was  just  what  dates  are 

encompassed  in  this  document. 

MJ:  Thank  you. 

ATC [CPT  MORROW]:  No  objection.  Your  Honor. 

MJ:  Golf,  right? 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  Defense  Exhibit  Golf  is  admitted. 

Q.  And  Agent  Shaver,  just  one  more  time,  the  Intelink  logs, 
generally  speaking  the  entire  span  was  from  November  of  2009  to  May 
of  2010,  correct? 

A.  Correct. 
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Q.  So  when  you  looked  at,  the  only  activity  that  was  captured 
that  dealt  with  Farah  and  CENTCOM  would  have  been  on  22  March, 
correct? 

A.  Correct. 

Q.  Now,  Agent  Shaver,  you  talked  on  direct  about  various  ways 
in  which  the  Farah  evidence  made  its  way  onto  PFC  Manning's,  the 
SIPRNET  machines  associated  with  him,  correct? 

A.  Correct. 

Q.  You  talked  about  —  well,  we  talked  about  the  Intel  Link 
logs.  We  have  also  seen  data  from  the  CENTCOM  server,  correct? 

A.  Correct. 

Q  Did  you  look  at  any  other  logs  in  order  to  determine 
whether  any  data  was  transferred  from  CENTCOM  to  the  22  or  the  40 
machines? 

A.  Yes,  sir,  I  did. 

Q.  What  did  you  look  at? 

A.  I  looked  at  log  files,  other  logs  files  called  Centaur 

logs . 

Q.  What  are  Centaur  logs? 

A.  Sir,  those  are  net  flow  logs.  They  capture  information  to 
sensor . 

MJ:  Yes. 
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1  ATC [CPT  MORROW]:  Objection,  Your  Honor.  Outside  the  scope  of 

2  the  direct. 

3  MJ:  Sustained. 

4  ADC [CPT  TOOMAN] :  One  moment,  please.  Your  Honor,  the  defense 

5  believes  the  government  has  opened  the  door  to  the  Centaur  logs.  The 

6  witness  has  testified  about  how  the  Farah  --  He' s  testified  about 

7  the  video  that's  the  subject  of  Specification  11  specifically.  He's 

8  talked  about  how  documents  related  to  Farah  have  ended  up  on  the 

9  witness's  or  on  the,  my  client's  machine.  And  we  think  that  talking 

10  about  the  Centaur  logs  would  give  the  Court  the  complete  picture  of  - 

11  - 

12  MJ:  All  right.  Government,  what  is  —  are  you  planning  on 

13  addressing  the  Centaur  logs  later? 

14  ATC [CPT  MORROW]:  In  conjunction  with  Department  of  State 

15  information.  Your  Honor. 

16  MJ:  Is  there  anything  in  the  Centaur  logs.  I'll  ask  both  sides, 

17  that's  relevant  to  the  Farah  videos? 

18  ADC [CPT  TOOMAN]:  The  defense  believes  so.  Your  Honor. 

19  MJ:  I  will  overrule  the  objection  to  the  extent  you're  talking 

20  about  Farah. 

21  ADC [CPT  TOOMAN]:  Yes,  ma'am. 

22  Questions  continued  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

23  Q.  So  could  you  explain  again  what  are  Centaur  logs? 
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A.  They  are  net  flow  logs,  sir.  They're  sensors  throughout 
the  DoD  network  and  they  measure  —  they  see  traffic.  They  capture 
the  flow  of  traffic.  You  don't  know  what  data  is  transferred  but  you 
can  say  the  data  is  transferred  between  two  computers. 

Q.  So  if  you're  a  user  and  you  log  onto  the  CENTCOM  server, 
we're  going  to  see  the  IP  address  associated  with  Agent  Shaver  has 
connected  to  the  CENTCOM  server  and  we'll  see  data  going  back  and 
forth? 

A.  Correct. 

Q.  Now,  what  did  you  do  with  the  CENTCOM,  I'm  sorry,  the 
Centaur  logs? 

A.  Sir,  I  put  them  to  Excel  for  easier  review. 

ADC [CPT  TOOMAN] :  At  this  time  I'm  going  to  retrieve  Defense 

Exhibit  Charlie  for  Identification. 

Agent  Shaver,  could  you  please  move  to  the  panel  box. 

Q.  I'm  handing  you  what's  been  marked  as  Defense  Exhibit 
Charlie  for  Identification.  What  is  that  document? 

A.  Sir,  this  is  a  spreadsheet  I  created.  It  shows  the  IP 
address  of  the  remote  computer,  the  computer  name  and  the  computer 
name  contains  the  words  CENTCOM  and  it  shows  you  the  total  number  of 
connections  and  the  total  data  transferred. 

Q.  How  many  IPs  are  listed  there  that  you  have  associated  with 
CENTCOM? 
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1  A.  Seven. 

2  Q.  And  when  you  created  this  —  or  when  you  reviewed  the 

3  Centaur  logs,  well.  I'll  hold  off  on  that.  Couple  more  questions 

4  about  Centaur  logs  generally.  Do  those  cover  net  data  flow  over  all 

5  of  DoD? 

6  A.  Yes  and  no. 

7  Q.  Okay. 

8  A.  Sensors  are  placed  throughout  the  network  so,  say,  for 

9  example,  this  room  is  a  network.  You  and  I  could  communicate  all  day 

10  long  there  won't  be  any  censored  [sic]  communication.  As  soon  as  you 

11  left  the  room  and  the  sensor,  that's  when  the  sensor  would  connect  — 

12  would  log  it.  There  may  not  have  been  any  sensors  within  the  actual 

13  FOB  Hammer  or  Iraq.  There  may  be  sensors  when  you  leave  country. 

14  Q.  Okay. 

15  A.  So  you're  not  going  to  get  a  complete  picture  and  also 

16  Centaur  logs,  sensor,  they  go  down,  so  Centaur  logs  are  not  a 

17  complete  picture.  There  are  unfortunately  large  breaks  of  data  where 

18  there's  no  information. 

19  Q.  Sure.  And,  in  fact,  in  the  Centaur  logs  that  you  reviewed 

20  there  were  large  gaps  in  data,  correct? 

21  A.  Yes,  sir. 

22  Q.  What  was  the  timeframe  of  the  Centaur  logs  you  reviewed  in 

23  this  case? 
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A.  I  want  to  say  October  2009  to  May  2010. 

Q.  Okay.  And  the  Centaur  Logs  you  reviewed  included  activity 
between  the  22  and  40  machine  and  other  servers  throughout  DoD, 
correct? 

A.  Correct. 

Q.  Directing  your  attention  back  to  Defense  Exhibit  Charlie 
for  Identification.  You  mentioned  that  there's  a  column  there  that 
talks  about  how  much  data  was  actually  transferred,  correct? 

A.  Correct. 

Q.  If  you  could  just,  you  said  there  were  seven  servers? 

A.  Correct. 

Q.  How  much  data  was  transferred? 

A.  Ish? 

Q.  Ish. 

A.  Thank  you.  Maybe  20  megs. 

ADC [CPT  TOOMAN] :  I'm  going  to  retrieve  this  exhibit  for 

identification  from  the  witness  and  offer  it  as  Defense  Exhibit 
Charlie . 

ATC[CPT  MORROW]:  We'd  object.  Your  Honor,  based  on  lack  of 

foundation. 

MJ:  You're  the  ones  that  objected  into  going  more  in  depth  into 

the  Centaur  logs. 
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ATC [CPT  MORROW]:  We  object  on  that  basis  that  it  was  outside 

the  scope  of  direct. 

MJ:  I  understand  that  but  I  told  him  I'm  limiting  him  to  going 

with  —  let  me  put  it  this  way.  Does  the  government  believe  that 
there  could  be  additional  foundation  with  respect  to  the  Centaur  logs 
without  going  beyond  what  I  said  with  Farah? 

ATC [CPT  MORROW]:  Your  Honor,  we'll  withdraw  the  objection. 

MJ:  Thank  you.  Exhibit  Charlie  for  Identification  is 

admitted. 

10  ADC[CPT  TOOMAN] :  I'm  now  retrieving  what's  been  marked  as 

11  Defense  Exhibit  Delta  for  Identification.  I'm  handing  the  witness 

12  Defense  Exhibit  Delta  for  Identification. 

13  Questions  continued  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Agent  Shaver,  what  is  that? 

A.  Sir,  this  is  an  Excel  spreadsheet  I  created. 

Q.  What  does  that  Excel  spreadsheet  show? 

A.  It  shows  the  source  and  destination  IPs,  the  net  flow  data 
18  of  the  data  that  was  captured,  traffic  that  was  captured. 

Q.  What  IPs  did  you  capture  in  the  source  IP  column? 

A.  Those  would  be  the  CENTCOM  servers. 

Q.  Would  those  be  the  same  IPs  from  Defense  Exhibit  Charlie? 

A.  Can  I  see  them  to  verify? 

Q.  Sure. 
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A.  Thanks. 

ADC [CPT  TOOMAN] :  I'm  handing  the  witness  Defense  Exhibit 

Charlie . 

WIT:  Thank  you,  sir.  [Reviewing  both  exhibits.] 

A.  Yes,  sir. 

Q.  You  s$id  you  created  Defense  Exhibit  Delta  for 
Identification.  How  did  you  go  about  creating  that  document? 

A.  Sir,  since  there  was  an  Excel  spreadsheet  I  simply  filtered 
on  the  IPs  that  result  back  to  the  CENTCOM  main. 

Q.  So  the  source  IP  column  includes  the  IPs  from  CENTCOM, 
correct? 


A.  Correct. 

Q.  And  the  destination  IPs  are  what? 

A.  Either  .40  or  .22. 

Q.  So  you  would  agree  with  me  that  Defense  Exhibit  Delta  for 
Identification  includes  the  net  flow  data  between  CENTCOM  servers  and 
the  22  and  40  machines  that  was  captured  by  the  Centaur  logs? 

A.  Correct. 

Q.  Now,  and  again  you  mentioned  that  there  are  gaps  in  the 
Centaur  logs? 

A.  Yes,  there  are. 

Q.  Are  there  any  gaps  reflected  in  Defense  Exhibit  Delta  for 
Identification? 
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A.  There  are  some. 

Q.  Again,  those  gaps  are  because  sensors  go  down,  correct? 

A.  Yes,  sir. 

Q.  Or  there  could  be  gaps  because  there's  no  activity? 

A.  Correct. 

Q.  We  don't  know  why  there's  gaps? 

A.  There's  just  a  gap. 

Q.  We  do  know  that  —  you  would  agree  with  me  it's  not  because 
of  anything  that  the  user  would  have  done? 

A.  Correct. 

Q.  So,  it's  not  —  It  wouldn't  have  been  PFC  Manning  who 
tampered  with  Centaur  logs  and  forced  them  to  not  gather  data? 

A.  Correct. 

Q  That's  just  something  that  happens.  Now,  I  want  to  talk 
about,  I  guess  at  this  time,  Your  Honor,  we  would  offer  Defense 
Exhibit  Delta  for  Identification  as  Defense  Exhibit  Delta? 

MJ:  Government? 

ATC [CPT  MORROW]:  Delta  or  Charlie? 

MJ:  They've  admitted  Charlie. 

ATC [CPT  MORROW]:  Oh,  sorry. 

MJ:  This  is  Delta. 

ATC [CPT  MORROW]:  No  objection.  Your  Honor. 

MJ:  May  I  see  it  please? 
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ADC [CPT  TOOMAN] :  I'm  retrieving  Defense  Exhibit  Delta  from 

the  witness  and  handing  it  to  the  judge. 

MJ:  Defense  Exhibit  Delta  is  admitted. 

ADC [CPT  TOOMAN]:  I'm  handing  Defense  Exhibit  Delta  back  to 

the  witness. 

Questions  continued  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Agent  Shaver,  yesterday  you  spoke  about  a  number  of 
Intelink  log  searches.  Do  you  recall  that? 

A.  Yes. 

Q.  We  talked  about  searches  that  were  related  to  Farah? 

A.  Correct. 

Q.  One  such  search  was  on  30  November  by  the  .40  machine? 

ADC [CPT  TOOMAN] :  I  will  retrieve  Prosecution  Exhibit  81, 

please . 

Your  Honor,  the  prosecution  exhibit  that  I'd  like  the 
witness  to  reference  is  in  a  safe  right  now. 

MJ:  Is  this  a  good  time  to  take  a  brief  recess? 

ADC [CPT  TOOMAN]:  I  think  it's  a  great  time.  Your  Honor. 

MJ:  Can  someone  go  get  it? 

TC [MAJ  FEIN]:  Ma'am,  someone  has  gone  to  get  it. 

MJ:  Is  it  still  a  good  time,  how  long  is  it  going  to  take  them 
to  get  it  do  you  think? 

TC [MAJ  FEIN] :  Ma'ma,  probably  2  or  3  minutes. 
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MJ:  Okay. 

TC [MAJ  FEIN]:  Or  less. 

MJ:  We  can  wait.  Court  is  recess  in  place.  The  witness  will 

remain  in  the  witness  box.  Feel  free  to  move  around. 

[The  court-martial  recessed  at  1656,  11  June  2013.] 

[The  court-martial  was  called  to  order  at  1658,  11  June  2013.] 

MJ:  Court  is  called  to  order.  Please  be  seated.  Proceed.  Let 
the  record  reflect  all  parties  present  when  the  Court  last  recessed 
are  again  present  in  Court.  Go  ahead. 

ADC [CPT  TOOMAN] :  I'm  going  to  retrieve  Prosecution  Exhibit  81 

and  hand  that  to  the  witness. 

WIT:  Thank  you,  sir. 

ADC [CPT  TOOMAN]:  Before  we  get  going  on  that.  I'll  retrieve 

Defense  Exhibit  Charlie  from  you. 

CROSS-EXAMINATION  (continued) 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Okay.  Agent  Shaver,  so  on  Prosecution  Exhibit  81  you're 
able  to  see  all  the  Intelink  searches  that  you've  associated  with  my 
client,  correct? 

A.  Two  computers;  yes,  sir. 

Q.  Okay.  And  the  first  such  search  that  implicates  Farah 
would  have  been  on  30  November. 

MJ:  That  would  be  in  2009? 
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1  ADC [CPT  TOOMAN] :  Yes,  ma'am. 

2  A.  Yes,  sir. 

3  Q.  And  that  was  the  .40  machine? 

4  A.  Yes,  sir. 

5  Q.  Okay.  I'd  like  you  to  now  look  at  the  Centaur  logs  - 

6  A.  Okay. 

7  Q.  -  on  30  November.  Would  you  agree  with  me  that  there 

8  was  no  data  transferred  between  CENTCOM  and  the  22  or  40  machine  on 

9  30  November? 

10  A.  I  have  no  logs  of  that  date. 

11  Q.  There  are  no  logs  from  that  date.  So  you  would  agree 

12  there's  no  evidence  that  any  data  was  transferred  between  the  CENTCOM 

13  server  and  the  22  or  the  40  machine? 

14  A.  There's  —  There  may  have  been  data.  I  can't  tell. 

15  Q.  Right.  Okay.  So  the  Centaur  logs  don't  show  any  activity? 

16  A.  Correct. 

17  Q.  On  30  November? 

18  A.  Correct. 

19  Q.  Now,  the  next  search  we  have  is  9  December  by  the  .40 

20  machine.  Is  that  correct? 

21  A.  One  moment.  Correct. 


8394 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


Q 


Q.  And  that  was  the  .40  machine  looking  at  the  Centaur  logs. 
You  would  agree  with  me  that  there  is  no  evidence  that  data  was 
transferred  on  that  day  either? 

A.  I  have  no  entries  from  December  9,  correct. 


Q. 

Our  next  search  is  on  15  November  2009. 

Again, 

that ' s  the 

.40  machine? 

A. 

Did  you  say  15  December? 

Q. 

Yes,  sir. 

A. 

Yes,  sir. 

Q. 

And  looking  at  the  Centaur  logs? 

A. 

I  have  no  information. 

Q 

Okay.  So  there's  no  evidence  of  a  transfer  on 

15 

November? 

A. 

Right . 

Q. 

Let's  look  at  the  next  date,  the  16th  of 

December 

2009, 

again, 

the  .40  machine? 

A.  Correct.  I  have  no  log  of  that  in  Centaur. 

Q.  So  no  data  transferred  on  the  16th  of  December? 

A.  Correct. 

Q.  All  right.  Now,  we  have  what  would  be  December  31st, 
again,  the  .40  machine. 

MJ:  What  was  the  date? 

ADC [CPT  TOOMAN] :  I'm  sorry,  the  31st  of  December,  ma'am. 

A.  I  do  not  have  a  31  December,  or  actually  it  would  be  - 
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Q.  You  have  a  search  for  CENTCOM? 

A.  I  do. 

Q.  Okay. 

A.  I'm  sorry,  did  you  say  30  December  or  the  31st? 
Q.  31. 


A.  Okay.  31  December  I  do  have  a  search,  Intelink,  on  Centaur 
I  have  no  data  transferred. 

Q.  No  data  transferred  on  Centaur,  okay.  Now,  we  have  2 
January  2010.  And  we  have  a  search  on  the  .40  machine,  correct? 

A.  Yes,  sir. 

Q.  And  the  Centaur  logs  do  show  a  transfer  on  that  day? 

A.  That  is  correct. 

Q.  And  that  transfer  was  637  kilobytes,  correct? 

I  don't  have  a  calculator,  sir. 

Okay.  Is  it  637,547  bytes? 

Well,  no.  I  would  —  for  2  January,  there  were  numerous 
entries.  Each  had  bytes.  You  would  have  to  total  that  up. 

Q.  Okay. 

MJ:  You  mean  numerous  entries  for  searched  or  numerous  entries 

for  Centaur? 

A.  Centaur  has  numerous  entries  and  each  one  shows  how  many 
bytes  were  transferred  for  each  entry.  I'm  sorry,  there's  quite  a 
few  numbers  here. 


A. 

Q. 

A. 
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Q.  Okay.  What's  the  first  one? 

A.  First  byte?  38315.  Do  you  want  me  to  go  through  all  of 

this? 

Q.  Please. 

A.  29185,  168442,  146880,  5888,  2028,  35138,  21597,  19932, 
34797,  7562,  2158,  36338,  21597,  5293,  23875,  32333,  3816  and  2373. 

Q.  Okay.  Would  you  agree  with  me  that  that  comes  out  to  about 
600  megs  or  600  kilobytes? 

A.  Sure. 

MJ:  Do  you  know  or  you  don't  know? 

WIT:  No,  I  don't  know,  ma'am.  I  need  a  calculator.  I 
apologize . 

MJ:  No  reason  to  apologize. 

Q.  Okay.  Agent  Shaver,  would  you  agree  with  me  that  if  you 
were  to  add  up  all  of  that,  all  those  bits  and  bytes,  that  would  not 
be  a  enough  to  transfer  a  video? 

A.  Correct.  I  would  agree  with  you  on  that. 

Q.  Okay.  Our  next  Intelink  search  is  on  4  January? 

A.  Yes,  sir. 

Q.  And  that's  the  .40  machine  again? 

A.  Yes,  sir. 

Q.  And  there's  no  evidence  in  the  Centaur  logs  of  data 
transferred  on  that  day,  correct? 
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A.  That  is  correct. 

Q.  Our  next  search  is  on  19  February? 

A.  Yes,  sir,  I  see  it. 

Q.  Okay.  And  do  you  say  data  transferred  on  that  day? 

A.  I  do  as  well. 

Q.  Okay.  Are  there  multiple  instances  of  data  transfer? 

A.  Yes,  there  are. 

Q.  How  many? 

A.  I  have  two. 

Q.  And  would  you  agree  that  those  two  add  up  to  about  252 
kilobytes? 

A.  [No  answer.] 

Q.  Let  me  ask  you  this.  Agent  Shaver,  would  you  agree  that 
again  on  19  February  there  wasn't  enough  data  transferred  to  transfer 
one  of  the  zip  files  containing  the  video  from  CENTCOM? 

A.  Yes,  sir. 

Q.  Okay.  Now,  let's  look  at  28  February. 

A.  Yes,  sir. 

Q.  Do  we  see  a  search  on  28  February? 

A.  I  do. 

Q.  Again  the  .40  machine? 

A.  Yes,  sir. 
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1  Q.  And  was  there  data  —  There  was  data  transferred  on  that 

2  date,  correct? 

3  A.  Yes,  there  was. 

4  Q.  How  many  instances  of  data  transferred? 

5  A.  Thirteen. 

6  Q.  Okay.  And  would  you  agree  with  me  that  there's  not  enough 

7  data  transferred  on  that  day  to  have  transferred  any  of  the  zip  files 

8  contained  in  the  video? 

9  A.  Yes,  sir. 

10  Q.  Let's  look  at  12  March.  There's  a  search  on  12  March  by 

11  the  .22  machine? 


12 

A. 

Yes,  sir. 

13 

Q. 

And  we  do 

see  data  transferred 

on  that 

day? 

14 

A. 

Yes,  sir. 

15 

Q. 

How  many  instances  of  transfer 

are  there? 

16 

A. 

I  counted  . 

29. 

17 

Q. 

And  if  you 

add  all  those  up,  you  would 

agree  with  me 

18 

that ' s 

not  enough  to 

have  transferred  one 

:  of  the 

zip  folders 

19 

containing  the  video 

from  CENTCOM? 

20 

A. 

Yes,  sir. 

21 

Q. 

Our  next  search  is  on  17  March 

on  the 

22  machine. 

22 

A. 

Yes,  sir. 
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Q.  And  there's  no  evidence  of  any  data  transferred  on  that 
day,  correct? 

A.  One  moment.  Correct,  sir. 

Q.  Now,  our  last  Intelink  search  is  on  22  March,  correct? 

A.  One  moment.  Correct. 

Q.  And  that  was  the  only  search  that  actually  specifically 
references  Farah,  isn't  it?  Of  all  the  Intelink  searches  that 
you've  looked  at  so  far,  that's  the  only  one  that  implicates  Farah? 

A.  Correct. 

Q.  And  there  was  data  transferred  on  that  date? 

A.  22  March,  yes,  sir. 

Q.  There  are  quite  a  few  instances  of  data  transferred  on  that 

date? 

A.  Yes,  sir. 

Q.  But  you  would  agree  with  me  if  you  added  all  those  up,  it 
wouldn't  be  enough  to  transfer  one  of  the  videos  from  the  CENTCOM 
server,  correct? 

A.  Yes,  sir. 

Q.  And  you  would  also  agree  with  me  that  the  CENTCOM  server 
logs  that  you  reviewed  when  we  talked  about  earlier,  those  showed 
activity  on  22  March  as  well,  right? 

A.  Correct. 
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1  Q.  And  that  was  activity  where  we  saw  JPEGs  and  PDFs  and 

2  PowerPoints  we  looked  at,  correct? 

3  A.  I'm  sorry,  sir,  I  believe  that  was  April. 

4  ADC [CPT  TOOMAN] :  I'm  sorry,  that's  correct.  Okay.  Agent 

5  Shaver,  I'm  going  to  take  those  exhibits  back  from  you.  I'm  handing 

6  Prosecution  Exhibit  81  back  to  the  government.  Agent  Shaver,  you  can 

7  move  back  to  the  witness  stand. 

8  [The  witness  resumed  his  seat  at  the  witness  stand.] 

9  Q.  Agent  Shaver,  you  would  agree  with  me  that  there  were  no 

10  instances  —  there's  no  evidence  of  any,  of  data  being  transferred 

11  from  the  CENTCOM  servers  to  the  22  or  the  40  machines  in  a  volume 

12  large  enough  to  have  transferred  one  of  the  videos  that  the  CENTCOM 

13  server  posted? 


14 

A. 

Right . 

15 

Q. 

And  you  would  agree  with  me  that 

the  only  instance  of  a 

16 

video  that  is  any  way  associated  with  Farah 

.  that  was  found  on  the  22 

17 

or  the  40 

machine  was  actually  —  actually 

came  from  the  T-drive? 

18 

A. 

Okay.  Yes,  sir. 

19 

Q. 

And  that  was  on  17  April? 

20 

A. 

I  don't  remember  the  date. 

21 

Q. 

But  it  was  in  April? 

22 

A. 

Yes,  sir. 

23 

ADC [CPT  TOOMAN]:  Okay.  No  further 

questions.  Thank  you. 
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1  MJ:  Redirect. 

2  ATC [CPT  MORROW]:  Ten  minute  recess.  Your  Honor? 

3  MJ:  All  right.  Agent  Shaver,  same  rules  apply  during  recess. 

4  Court  is  in  recess  then  until  20  minutes  after  1700  or  five  o'clock. 

5  [The  court-martial  recessed  at  1730,  11  June  2013.] 

6  [The  court-martial  was  called  to  order  at  1732,  11  June  2013.] 

7  MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

8  parties  present  when  the  Court  last  recessed  are  again  present  in 

9  Court.  The  witness  is  in  the  witness  box. 

10  REDIRECT  EXAMINATION 

11  Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

12  Q.  Agent  Shaver,  was  the  Wget  program  embedded  as  part  of  the 

13  NCD  server? 

14  A.  No,  sir. 

15  Q.  And  how  does  one  download  documents  or  cables  from  the  NCD 

16  server? 

17  A.  You  go  to  the  website  and  select  the  files  you  want  and 

18  download  them. 

19  Q.  Now,  what  does  Wget  allow  you  to  do  when  downloading 

20  documents  from  any  server,  NCD  or  otherwise? 

21  A.  It  automates  it.  It's  also  more  robust,  in  case  there's  a 

22  bad  connection  it  will  retry. 
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Q.  What  are  some  other  technical  benefits  of  Wget  when 
downloading  documents? 

A.  It's  faster.  You  can  run  it  in  the  background.  You  can 
rename  files. 

Q.  How  much  faster  is  Wget? 

A.  Considerably,  sir.  It  all  depends  though  on  the  network 
segment  you're  on.  If  you're  on  a  good  segment  it's  fast  but  it 
would  be  faster  if  you  had  a  good  segment.  If  you're  on  a  poor 
connection  it  would  automate  it.  It  would  be  faster  than  manually. 

Q.  I'd  like  to  talk  about  the  videos  again  on  the  CENTCOM 
SharePoint.  What  was  the  naming  convention  of  the  CENTCOM  Farah 
videos,  or  the  videos  associated  with  Farah  that  were  on  the  CENTCOM 
Sharepoint  Server?  What  was  the  naming  convention? 

A.  They  started  with  BE22. 

Q.  Was  that  true  of  all  the  videos  on  there? 

A.  Yes,  sir. 

Q.  And  what  was  the  naming  convention  of  the  - 

MJ:  What  is  a  naming  convention? 

ATC [CPT  MORROW]:  Just  the  file  name,  sorry. 

MJ:  Okay. 

Q.  What  was  the  file  name?  What  was  the  file  name  of  the 
. WMV  file  or  the  video  file  on  the  T-drive  that  you  said  was 
associated  with  Farah? 
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1  A.  It  was  a  TGT1.WMV. 

2  Q.  Now,  can  you  tell  whether  the  videos  on  the  CENTCOM 

3  SharePoint  Server  with  the  file  names  of  BE22,  etcetera  are  the  same 

4  videos  or  the  same  video  that  appeared  to  be  associated  with  Farah  on 

5  the  T-drive? 

6  A.  No,  sir,  I  didn't  have  —  I  could  not  recover  the  file, 

7  TGT1,  to  compare. 

8  Q.  Again,  when  you  searched  the  unallocated  space  on  the  .22 

9  and  .40  computers,  were  you  able  to  find  any  videos  at  all? 

10  A.  No,  sir. 

11  Q.  No  remnants  of  any  videos? 

12  A.  I  didn't  find  complete  videos.  Video  files  are  complex. 

13  If  you  find  a  part  of  it  --  it  probably  won't  play.  So  you  need  to 

14  find  basically  the  entire  video  to  make  it  work  right. 

15  Q.  I  want  to  ask  you  about  the  NT  user  file.  What  is  that 

16  again  please? 

17  A.  Sir,  that's  the  —  NT  user.dat  is  a  registry  file.  It 

18  maintains  settings.  For  each  individual  user  has  one.  So,  again, 

19  the  easiest  way  to  do  —  to  explain  it  again,  if  you  have  office 

20  documents  and  you  go  file  open  it  and  shows  the  last  10,  that's  where 

21  that's  maintained.  Things  like  that. 
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Q.  So  the  NT  user  file  would  show  you  sort  of  the  last  10,  if 
it  was  the  WMV  or  video  file  version,  it  would  show  the  last  videos 
that  were  opened? 

A.  Associated  with  that  extension. 

Q.  Okay.  Now,  if  a,  let's  say  a  zip  file  had  a  WMV  embedded 
and  it  was  encrypted  or  password  protected,  would  the  NT  user  file 
capture  a  video  that  wasn't  actually  opened? 

A.  Not  in  that  scenario. 

Q.  Why  is  that? 

A.  Because  it  would  be  a  zip  file  and  it  would  be  also 
password  protected. 

Q.  So  the  password  protected  would  prevent  it  from  being 
logged  in  the  NT  user? 

A.  Correct. 

Q.  Now,  so  let  me  circle  back  then.  What  does  it  tell  you  if 
the  TGTl  was  in  the  NT  user  file? 

A.  It  was  not  password  protected  and  it  was  viewed. 

Q.  So  it  was  viewed  or  opened? 

A.  Right. 

Q.  And  Special  Agent  Shaver,  we  talked  about  this  a  while  ago, 
but  you  reviewed  the  Lamo  chat  logs  as  part  of  this  investigation, 
correct? 

A.  Yes,  sir.  I  did. 
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Q.  And  I'd  like  to  retrieve  Prosecution  Exhibit  30.  Agent 
Shaver,  Prosecution  Exhibit  30  are  the  Lamo  user  and  Bradley  Manning 
chat  logs.  Can  you  just  review  them  very  briefly. 

[There  was  a  brief  pause  while  the  witness  reviewed  the  exhibit.] 

A.  Yes,  sir. 

Q.  And  you  recall  reviewing  these  chat  logs  prior  to  the  case, 
correct? 


A.  Yes,  sir. 

ATC [CPT  MORROW]:  I'm  retrieving  the  exhibit  from  the  witness. 

Your  Honor,  permission  to  publish? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  witness  and  the  Court.] 

Q.  Agent  Shaver,  I'm  publishing  Page  12  of  the  chat  logs.  Are 
you  able  to  read  that? 

A.  Yes.  Can  you  make  it  a  little  bigger? 

Q.  Yep. 

A.  A  little  easier  to  read.  Okay. 

Q.  Now,  I'd  like  you  to  start  with  the  entry  starting  with 
2.14:46:  PM. 

A.  Okay. 

Q.  Can  you  just  read  down  from  there,  please? 
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1  A.  Sure.  Yes,  sir.  'Based  upon  the  description  he  gave  me  I 

2  assessed  it  was  the  Northern  European  Diplomatic  Security  Team  trying 

3  to  figure  out  how  he  got  the  Reykjavik  cable.'  Next  line,  'They  also 

4  caught  wind  that  he  had  a  video  of  the  Gharani  airstrike  in 

5  Afghanistan  which  he  has  but  he  hasn't  decrypted  yet.  The  production 

6  team  was  working  on  the  Baghdad  strike  though  which  was  never  really 

7  encrypted. '  Next  line,  'He  got  the  whole  15-6  for  the  incident  — 

8  for  that  incident,  so  it  won't  be  just  a  video  with  no  context.' 

9  Next  line,  'but  it's  not  nearly  as  damning.  It  is  an  awful  incident, 

10  but  nothing  like  the  Baghdad  one' . 

11  Q.  Now,  let  me  stop  you  there.  Based  on  the  description  of 

12  the  Gharani  video  and  these  chat  logs  and  what  you  observed  in  the  NT 

13  user  file  with  the  WMV  so  TGTl.wmv,  what  does  that  tell  you? 

14  A.  This  chat  makes  it  sound  like  they  had  the  password 

15  protected  one  not  the  —  they  have  a  password  protected  version  of 

16  the  videos  and  they're  —  they  have  not  decrypted  it. 

17  Q.  Thank  you.  I'm  going  to  show  you  Page  46  as  well.  Here 

18  I'd  like  you  to  read  from  04:33:21  PM  and  down. 

19  A.  'Anything  else  interesting  on  this  table  as  a  former 

20  collector  of  interesting.com  info.'  Next  line,  'IDK,  I  don't  know. 

21  I  only  know  what  I  provided  him.'  Next  line,  'What  do  you  consider 

22  the  highlights?'  Next  line,  'The  Gharani  airstrike  videos  and  full 
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1  report  Iraq  war  event  log,  the  GTMO  papers  and  the  State  Department 

2  cable  database.' 

3  Q.  Thank  you.  Agent  Shaver. 

4  MJ:  Do  we  have  another  recross? 

5  ATC[CPT  MORROW]:  I  have  some  more  questions.  Your  Honor. 

6  MJ:  Please.  I'm  sorry.  I  thought  you  were  going  back. 

7  ATC [CPT  MORROW]:  I'm  handing  Prosecution  Exhibit  30  back  to 

8  our  court  reporter. 

9  Q.  Agent  Shaver,  let's  talk  briefly  about  Centaur  logs.  What 

10  do  they  capture? 

11  A.  Net  flow  information,  destination  port,  source  port,  amount 

12  of  data  transferred,  date  and  times. 

13  Q.  When  you  reviewed  the  Centaur  logs  that  were  collected  in 

14  this  case,  did  you  observe  any  large  gaps  in  those  logs? 

15  A.  Yes,  sir. 

16  Q.  Approximately  what  was  the  time  period  of  those  gaps? 

17  A.  End  of  December  was  one  of  the  gaps.  There  were  several 

18  other  ones.  I  don't  recall  specific  dates  off  the  top  of  my  head. 

19  Q.  Do  you  recall  a  gap  between  November  19th  and  1  December? 

20  A  Yes,  sir. 

21  Q.  And  based  on  your  review  of  that  gap,  do  you  think  that 

22  there  was  no  activity  at  that  time  or  did  you  think  that  there  was 

23  something  wrong  with  the  Centaur  sensors? 
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A.  Sir,  there  was  something  wrong  with  the  sensors. 

Q.  Why  do  you  say  that? 

A.  Sir,  computers  on  a  domain,  they  have  to  communicate  with 
the  domain  server.  But  more  than  that  they  want  to  update.  One  of 
the  things  they  update  is  antivirus  and  time.  The  time  protocol  is 
used  to  keep  all  the  computers  in  sync  with  each  other  because  time 
and  antivirus  was  not  going  on  during  those  timeframes,  either  the 
computer  was  off  or  there  was  a  problem  with  the  sensor. 

Q.  So  you  did  not  observe  any  updating  of  time  or  antivirus  at 
that  time? 


A.  Correct. 

ATC [CPT  MORROW]:  I'd  like  to  retrieve  Defense  Exhibit  Delta. 

Agent  Shaver,  I'd  ask  you  to  move  over  to  the  panel  box  again.  Agent 
Shaver,  I'm  handing  you  Defense  Exhibit  Delta. 

Q.  Please  explain  again  what  is  Defense  Exhibit  Delta? 

A.  It's  net  flow  logs.  But  it's  to  and  from  servers,  CENTCOM 

servers . 


Q.  All  the  CENTCOM  servers  that  you  were  able  to  find? 

A.  Correct. 

Q.  And  to  where? 

A.  To  and  from  .40  and  .22. 

Q.  Now,  please  show  me  in  the  Centaur  logs  the  activity  on  10 
April . 
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A  There  are  no  logs  for  April. 

Q.  There's  no  activity  in  the  Centaur  logs  relating  to  10 
April  2010? 

A.  Correct. 

Q.  What  does  that  tell  you  based  on  what  you  saw  in  the 
index.dat  file  in  PFC  Manning's  .22  computer? 

A.  These  logs  did  not  captured  that  day. 

Q.  Is  it  fair  to  assume  that  Centaur  logs  are  not  a  perfect 
logging  system? 

A.  That's  correct. 

Q.  Because  there  are  some  gaps  in  the  logs? 

A.  Yes,  sir. 

ATC[CPT  MORROW]:  Now,  Agent  Shaver,  you  can  move  back  to  the 

witness  stand,  please. 

Q.  Let's  talk  again  about  you  were  shown  some  Intelink  logs 
again.  What  does  Intelink  capture  when  you  search  for  something? 

A  It  will  capture  the  key  word  searched  and  things  that  you 
click  on.  Search  results  that  you  view. 

Q.  What  happens  if  you  click  on  a  result  that  comes  back  in 
the  Intelink  logs  or  as  a  result  of  search  in  Intelink? 

A.  If  it's  on  the  Intelink  page  it  should  show  you  to  either 
download  a  document  or  visiting  a  web  page. 

Q.  So  it  will  sort  of  direct  you  to  somewhere  else? 
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A.  It  could. 

Q.  It  could.  Well,  let's  say,  what  happens  if  Inteliink 
redirects  you  to  another  server? 

A.  It's  no  longer  a  part  of  Intelink.  It  passes  that 
information  off  to  the  other  server  so  there  would  be  no  entries 
within  Intelink  because  it's  no  longer  part  of  the  Intelink,  well, 
world. 


Q  And  so  is  it  fair  to  say  that  Intelink  doesn't  capture 
activities  on  other  servers? 

A.  That's  correct. 

Q.  Now,  if  you  viewed  a  video  on  another  server,  would 
Intelink  capture  that  activity? 

A.  Maybe. 

Q.  Maybe.  Explain. 

A.  It  depends  where  the  server,  where  that  file  is. 

Q.  If  you  downloaded  a  video  from  another  server,  would 
Intelink  capture  that  activity? 

A.  Depends  where  the  server  or  where  it  is. 

Q.  If  you  clicked  on  a  result  and  were  redirected  would 
Intelink  capture  that  activity? 

A.  Probably  not. 

ATC [CPT  MORROW]:  No  further  questions. 

MJ:  Recross? 
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1  ADC [CPT  TOOMAN] :  Yes,  ma'am. 

2  RECROSS-EXAMINATION 

3  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

4  Q.  Agent  Shaver. 

5  A.  Hello,  sir. 

6  Q.  You  just  talked  with  Captain  Morrow  about  the  chats,  the 

7  Lamo  chats.  You  would  agree  with  me  that  PFC  Manning  never  said  when 

8  he  gave  the  Farah  video  or  the  Gharani  airstrike  video? 

9  A.  Correct,  I  do  not  recall  a  date. 

10  Q.  And  he  never  said  that  he  gave  them  an  encrypted  version  of 

11  the  video? 

12  A.  Well,  there  was  something  he  mentions,  obviously  something 

13  with  encryption  and  password. 

14  Q.  He  mentioned  that  WikiLeaks  had  an  encrypted  version, 

15  correct? 

16  A.  Yes. 

17  Q.  But  he  didn't  actually  claim  to  have  given  them  an 

18  encrypted  version? 

19  A.  Correct. 

20  Q.  You  would  agree  with  me  that  it's  possible  that  PFC  Manning 

21  found  an  unencrypted  version  and  then  provided  that  to  WikiLeaks? 

22  A.  Anything  is  possible. 
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Q.  Now,  you  talked  about  some  of  the  gaps  in  the  Centaur  logs. 
Were  there  gaps  in  the  CENTCOM  server  logs? 

A.  Not  to  my  knowledge. 

Q.  And  you  testified  before  that  the  BEPAX  videos  had  been 
accessed  twice,  according  to  the  CENTCOM  server  logs? 

A.  Correct. 

Q.  One  of  those  was  on  28  January? 

A.  Yes,  sir. 

Q.  And  one  of  them  was  on  23  February? 

A.  Correct. 

Q.  Both  of  those  in  2010? 

A.  Correct. 

Q.  Nothing  in  2009? 

A.  Correct. 

Q.  You  would  agree  with  me  that  there's  no  evidence  of  PFC 
Manning  or  the  22  machine  or  the  .40  machine  accessing  a  file  called 
BE22PAX.zip,  correct? 

A.  Correct. 

Q.  Do  you  have  any  knowledge  of  whether  or  not  WikiLeaks  ever 
told  PFC  Manning  that  they  had  an  encrypted  version? 

A.  I  would  have  no  knowledge  of  that. 

Q.  Did  you  review  any  chats  between  PFC  Manning  and  a  person 
associated  with  WikiLeaks? 
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A.  As  part  of  supervisory,  yes. 

Q.  Did  you  know  about  a  Tweet  regarding  an  encrypted  video 
that  WikiLeaks  did  on  8  January? 

A.  I  knew  about  it  later  but  not  during  at  this  time  of  my 
investigation . 

Q  So  you're  aware  that  on  8  January  WikiLeaks  apparently  -• 

MJ:  8  January  of  what  year? 

ADC [CPT  TOOMAN] :  2010,  ma'am, 

Q.  -  Tweeted  that  they  had  an  encrypted  version? 

A.  I  don't  remember  the  date  but  I  remember  there  being  a 
Tweet. 

Q.  And  that  was  before  any  chats  between  PFC  Manning  and 
Adrian  Lamo? 

A.  Yes. 

Q.  Those  chats  were  in  May? 

A.  Correct. 

Q.  And  again  in  those  chats  he  never  said  that  —  he  never 
said  I  sent  them  an  encrypted  version? 

A.  Correct. 

Q.  He  just  said  he's  aware  that  WikiLeaks  has  an  encrypted 
version? 

A.  Yes,  sir. 

ADC [CPT  TOOMAN]:  Nothing  further.  Your  Honor., 
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MJ:  I  have  —  You  have  a  final  redirect? 

ATC [CPT  MORROW] :  Final. 

MJ:  That's  fine.  That's  fine. 

ATC [CPT  MORROW]:  Just  three  or  four  questions.  Your  Honor. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

Q.  Agent  Shaver,  on  Page  46  of  the  logs  we  just  saw,  did  PFC 
Manning  admit  to  providing  the  Gharani  airstrike  videos  to  WikiLeaks? 
A.  I  got  to  review  it  again,  sir,  I'm  sorry. 

Q.  Sure,  yeah. 

A.  I'm  sorry. 

ATC[CPT  MORROW]:  Prosecution  Exhibit  30,  please.  If  you 

could  just  refer  to  Page  46. 

Q.  Again  if  you  would  just  read  out  loud  from  'anything 
interesting  as  a  collector  or'?  Agent  Shaver,  let  me  help  you,  I'm 
sorry. 

A.  Thank  you. 

Q.  We'll  do  it  this  way.  Just  start  with  the  entry  at  4:33:44 

PM? 

A.  'IDK' ,  which  commonly  stand  for  I  don't  know.  'I  only  know 
what  I  provided  him' .  Next  line  for  Mr.  Lamo,  'what  do  you  consider 
the  highlights?  The  Gharani  airstrike  videos  and  full  report  Iraqi 
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war  event  log,  the  GTMO  papers  and  the  State  Department  cable 
database . ' 

Q.  That's  good.  Thank  you.  Agent  Shaver.  Agent  Shaver,  I 
want  to  talk  about  the  CENTCOM  Sharepoint  Server  logs  again. 

A.  Yes,  sir. 

Q.  Did  you  observe  or  did  you  have  logs  collected  in  this  case 
before  1  December  2009? 

A.  No,  sir. 

Q.  Why  is  that? 

A.  Because  they  didn't  exist.  The  logs  rotate  and  we 

collected  them  in  July  2010  and  that's  as  far  back  as  they  went. 

Q.  So  1  December  2009, was  as  far  back  as  CENTCOM  had? 

A.  Correct. 

Q.  And  when  is  Thanksgiving  generally  in  the  year,  what  month? 

A.  November. 

Q.  Usually  around  what  date  of  November? 

A.  27th. 

ATC [CPT  MORROW] :  Thank  you.  No  further  questions. 

MJ:  All  right.  I  have  a  few. 

[END  OF  PAGE] 


8416 


© 


9 


1  EXAMINATION  BY  THE  COURT-MARTIAL 

2  Questions  by  the  military  judge: 

3  Q.  The  first  one,  can  you  clear  up  some  confusion  for  me.  I 

4  hear  Farah  video,  Gharani  video.  Are  those  the  same  things,  are  they 

5  different? 

6  A.  The  same  thing. 

7  Q.  Okay.  Let  me  see  if  I  understand  what  I  thought  your 

8  testimony  was.  The  Gharani  video  was  only  accessed,  according  to  the 

9  records,  twice  from  —  Or  the  Gharani  video  from  the  Centaur  logs 

10  there's  no  evidence  it  was  ever  transferred  from  CENTCOM  to  the  .22 

11  or  the  .40? 

12  A.  Correct. 

13  Q.  Or  at  least  as  called  by  file  name,  what  is  it, 

14  BE22PAX. wmv? 

15  A.  It  would  have  been  a  zip  file  if  it  came  from  the  server, 

16  but,  yes,  ma'am. 

17  Q.  And  there  was  a  video  with  that  file  name  on  either  the  .22 

18  or  the  .40  computer? 

19  A.  No,  ma'am. 

20  Q.  What  was  on  the  .22  or  .40  computer? 

21  A.  There  was  another  video  that  was  identified  through  the 

22  restore  points  that  was  called  TGT1. 

23  Q.  Okay. 
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1 

A. 

Tango  Gulf  Tango  1. 

2 

Q. 

Okay. 

3 

A. 

However,  I  have  a  file  name,  I  don't  actually  have 

the 

4 

actual 

video . 

5 

Q. 

Do  you  know  if  it  is  the  Farah  video? 

6 

A. 

The  folder  it  was  in  was  called  Farah  but  the  actual 

7 

contents  of  the  video  I  do  not  know. 

8 

Q. 

And  why  is  that? 

9 

A. 

It  was  deleted,  overwritten,  and  I  could  not  recover 

it. 

10 

Q. 

I  believe  you  testified  you  said  that  that  file  came 

from 

11 

the 

T-drive? 

12 

A. 

Yes.  It  was  on  the  T-drive  as  well  by  file  name  and 

then 

13 

it, 

it 

was  in  Manning  —  Bradley . Manning  user  profile. 

14 

Q. 

So  it  was  in  both  the  T-drive  which  is  the  shared 

server 

15 

drive? 

16 

A. 

Correct. 

17 

Q. 

And  in  PFC  Manning's  user  profile? 

18 

A. 

Correct. 

19 

Q. 

Now,  on  the  T-drive  could  you  view  it? 

20 

A. 

No,  ma'am.  We  did  not  collect  that.  That  portion 

was  not 

21 

collected. 

22 

Q. 

So  do  you  know  what  the  video  with  that  same  file 

name. 

23 

what 

was  the  file,  the  TGT  video  on  the  T-drive  was? 
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1  A.  No,  ma'am. 

2  Q.  If  you  don't  know  the  answer  to  this  just  tell  me.  Did  you 

3  all  have  Centaur  logs  that  captured  data  from  the  CENTCOM  share  file 

4  to  the  T-drive? 

5  A.  No,  ma'am. 

6  Q.  Do  you  know  when  the  TGT  file,  how  long  it  was  on  the  T- 

7  drive  when  it  got  there? 

8  A.  No,  ma'am.  I  could  tell  you  the  first  incident  it  was  on 

9  the  Bradley .Manning  user  profile  was  early  March  was  the  first  entry 

10  concerning  that,  2010. 

11  MJ:  I  think  that's  all  I  have.  Any  follow-up  based  on  that? 

12  ATC [CPT  MORROW]:  One  moment.  Your  Honor. 

13  REDIRECT  EXAMINATION 

14  Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

15  Q.  Agent  Shaver,  just  to  clarify,  what  does  Centaur  actually 

16  capture? 

17  A.  Connections.  Just  connections  between  —  and  data  transfer 

18  between  two  computers. 

19  Q.  Does  Centaur  capture  actual  files  transferred  between  two 

20  computers? 

21  A.  No,  sir,  but  it  does  capture  the  amount  of  data  that  was 

22  transferred. 

23  ATC [CPT  MORROW]:  Thank  you. 
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1  ADC [CPT  TOOMAN] :  Just  a  couple.  Your  Honor. 

2  RECROSS-EXAMINATION 

3  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

4  Q.  Agent  Shaver,  the  Centaur  logs  that  you  reviewed  were  only 

5  Centaur  logs  that  involved  the  22  and  40  machine,  correct? 

6  A.  That's  correct. 

7  Q.  I  believe  the  judge  asked  you  if  there  was  any  Centaur  logs 

8  data  showing  transfer  from  CENTCOM  to  the  T-drive  but  you  didn't 

9  review  any  of  those  CENTCOM  logs  log  data? 

10  A.  Correct. 

11  Q.  So  you  didn't  review  all  the  Centaur  log  data  from  CENTCOM, 

12  only  stuff  that  implicated  the  22  or  40  machine,  correct? 

13  A.  Correct. 

14  Q  So,  it's  possible  there  was  transfer  from  the  CENTCOM  to 

15  the  T-drive;  you  would  have  no  idea? 

16  A.  Correct. 

17  ADC [CPT  TOOMAN]:  Thank  you. 

18  MJ:  All  right.  Temporary  or  permanent  excusal? 

19  ATC [CPT  MORROW]:  Temporary,  Your  Honor. 

20  [The  witness  was  temporarily  excused  reminded  of  the  previous 

21  warning,  and  withdrew  from  the  courtroom.] 

22  MJ:  All  right.  I  assume  you  don't  want  to  call  anymore 

23  witnesses  today? 
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TC[MAJ  FEIN]:  Ma'am,  sticking  to  the  proposed  trial  schedule 
for  the  first  time,  yes,  we  do  not  want  to  call  anyone  else.  The 
United  States  recommends  we  recess  until  tomorrow  morning  at  0930, 
and  then  we'll  call  the  next  witness.  Special  Agent  Johnson. 

MJ:  All  right.  Any  objection  to  that? 

TC [MAJ  FEIN]:  Excuse  me.  Your  Honor,  Mr.  Johnson,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  Any  issues  before  we  recess  the  Court? 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  Court  is  recessed  until  0930  tomorrow. 

[The  court-martial  recessed  at  1801,  11  June  2013.] 

[END  OF  PAGE] 
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1  [The  court-martial  was  called  to  order  at  0940,  12  June  2013.] 

2  MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

3  the  parties. 

4  TC [MAJ  FEIN]:  Your  Honor,  all  parties  when  the  court  last 

5  recessed  are  again  present. 

6  MJ:  All  right,  is  the  government  ready  to  proceed? 

7  TC [MAJ  FEIN]:  Yes,  ma'am. 

8  MJ:  Are  there  any  issues  we  need  on  address  before  we  proceed? 

9  TC [MAJ  FEIN]:  No,  ma'am. 

10  CDC [MR .  COOMBS]:  No,  Your  Honor. 

11  MJ:  All  right.  Please  proceed. 

12  ATC [CPT  MORROW]:  The  government  recalls  Mr.  Mark  Johnson. 

13  MARK  JOHNSON,  civilian,  was  recalled  as  a  witness  for  the 

14  prosecution,  was  previously  sworn,  and  testified  as  follows: 

15  DIRECT  EXAMINATION 

16  Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

17  ATC [CPT  MORROW]:  Mr.  Johnson,  I  just  want  to  remind  you  you're 

18  still  under  oath. 

19  WIT:  Yes,  sir. 

20  Q.  Mr.  Johnson,  we  discussed  your  examination  of  —  of  an 

21  external  hard  disk  drive  earlier.  What  other  pieces  of  evidence  did 

22  you  examine  in  this  case? 
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A.  We  examined  a  forensic  image  obtained  from  PFC  Manning's 
MacBook  Pro  laptop. 

ATC [CPT  MORROW]:  Mr.  Johnson  - 

MJ:  Can  you  speak  a  little  bit  - 

ATC [CPT  MORROW]:  -  can  you  speak  up  a  little  bit? 

MJ:  - thank  you. 

WIT:  Sorry,  Your  Honor.  Pardon  me. 

Q.  You  said  a  MacBook  Pro  laptop? 

A.  A  MacBook  Pro  laptop,  yes,  sir. 

Q.  And  what  exactly  did  you  - 

MJ:  A  who  —  from  whom?  A  Mac? 

WIT:  A  MacBook  Pro,  Your  Honor. 

MJ:  Okay. 

Q.  And  what  —  who  makes  that  --  a  MacBook  Pro? 

A.  Apple  Computer. 

Q.  And  what  exactly  did  you  examine? 

A.  I  examined  the  forensic  image  of  the  hard  drive  obtained 
from  that  laptop. 

Q.  And  before  beginning  your  examination,  what  did  you  do 
first? 

A.  Well,  we  retrieved  the  evidence  from  our  evidence  storage, 
brought  it  to  my  work  station,  made  a  local  copy  —  a  working  copy. 
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1  validated  the  image  hash  both  with  the  embedded  image  hash  as  well  as 

2  compared  with  the  notes  obtained  from  the  acquiring  agent. 

3  MJ:  Can  I  interrupt  you  for  just  a  minute?  I  asked  "who"  I 

4  meant  where  did  the  computer  come  from? 

5  ATC [CPT  MORROW]:  Oh. 

6  Q.  Mr.  Johnson,  where  was  this  computer  collected  from? 

7  A.  The  computer  was  collected  from  Private  Manning's  housing 

8  unit  in  Iraq  at  FOB  Hammer. 

9  MJ:  Thank  you. 

10  Q.  And  what  kind  of  operating  system  did  this  computer  have? 

11  A.  Mac  OS  X. 

12  Q.  And  what  is  Mac  OS  X? 

13  A.  OS  X  is  the  operating  system  used  by  Apple  Computer  for 

14  Macintosh  computers. 

15  Q.  And  when  was  this  operating  system  installed  on  the 

16  computer? 

17  A.  25  January  of  2010. 

18  Q.  And  how  do  you  know? 

19  A.  We  obtained  the  installation  log  from  the  operating  system 

20  —  from  the  system  hard  drive. 

21  Q.  And  where  is  the  installation  log  located  on  the  computer? 

22  A.  The  system  log  folder. 
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Q.  I'm  retrieving  what's  been  marked  as  Prosecution  Exhibit 
126  for  Identification  [retrieving  the  document  from  the  court 
reporter.]  126  —  oh,  126  Alpha  and  Bravo.  Excuse  me.  I'm  handing 
the  witness  what's  been  marked  as  Prosecution  Exhibit  125  Alpha  and 
126  Bravo  [handing  the  documents  to  the  witness] .  And  just  feel  free 
to  extract  both  together  actually. 

[The  witness  did  as  directed. ] 

Q.  Mr.  Johnson,  do  you  recognize  that  document? 

A.  I  do. 

Q.  And  what  is  it? 

A.  This  is  the  contents  of  the  install  log  obtained  from  the 
MacBook  Pro's  hard  drive. 

Q.  Now  is  that  the  entire  install  log? 

A.  I  believe  it  is,  sir. 

ATC [CPT  MORROW]:  Okay.  Permission  to  publish  to  the  Court,  Your 
Honor. 

MJ:  Proceed. 

[The  Assistant  Trial  Counsel  [CPT  MORROW]  retrieved  the 
documents  from  the  witness.] 

ATC [CPT  MORROW]:  Mr.  Johnson,  I'm  going  to  show  you  126  Alpha 
first  [handing  the  document  to  the  witness] . 

Q.  Using  this  exhibit,  can  you  explain  your  testimony  earlier 
about  the  installation  of  the  operating  system? 
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1  A.  [Looking  at  the  document]  The  installation  log  is  created 

2  by  the  OS  X  and  it  logs  number  of  actions  related  to  the  installation 

3  of  the  operating  system.  On  line  number  6  here  you  can  actually 

4  annotate  where  logging  —  it's  starting  itself  on  January  25th. 

5  Q.  Now  - 

6  MJ:  Yes? 

7  ADC[CPT  TOOMAN] :  Your  Honor,  the  defense  will  stipulate  that  the 

8  operating  system  was  installed  on  25  January. 

9  MJ:  All  right. 

10  ATC [CPT  MORROW]:  Okay.  Mr.  Johnson,  I'm  going  to  show  you  page 

11  two  of  126  Bravo  [handing  the  document  to  the  witness] . 

12  Q.  Can  you  explain  what  else  you've  —  you  observed  in  the 

13  install  log? 

14  A.  Yeah.  If  you  look  at  line  number  33  here,  you'll  note  that 

15  secure  erase  complete.  This  was  an  option  selected  during  the 

16  installation  to  securely  wipe  the  hard  drive  during  the  installation 

17  process  prior  to  the  OS  being  installed. 

18  Q.  Now,  what  do  you  mean  by  a  —  let's  just  go  through  that. 

19  What  do  you  mean  a  wipe  and  secure  erase?  What  does  that  actually 

20  mean?  What's  —  what's  the  computer  actually  doing  then? 

21  A.  It's  clearing  the  storage  on  the  hard  drive  and  writing  out 

22  with  zeroes. 

23  MJ:  And  what  line  is  that? 
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1  WIT:  Line  number  33,  ma'am. 

2  MJ:  Thank  you. 

3  ATC [CPT  MORROW]:  Your  Honor,  the  government  moves  to  admit 

4  Prosecution  Exhibits  Alpha  and  Bravo  —  126  for  Identification. 

5  ADC [CPT  TOOMAN] :  No  objection. 

6  MJ:  All  right.  May  I  see  them,  please? 

7  [The  assistant  trial  counsel  retrieved  the  documents  from  the  witness 

8  and  handed  them  to  the  Military  Judge . ] 

9  [Pause] 

10  M J:  Prosecution  Exhibits  126  Alpha  and  Bravo  are  admitted. 

11  Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

12  Q.  Now,  Mr.  Johnson,  what  was  your  investigative  plan  for  the 

13  computer? 

14  A.  In  this  case  we  were  looking  for  evidence  of  chat 

15  communications  or  indications  compromised  —  compromised  classified 

16  information. 

17  Q.  And  —  so  what's  the  first  thing  you  did? 

18  A.  Well,  we  were  looking  to  see  if  there  was  any  chat  programs 

19  installed  on  this  program  —  on  the  computer,  and  if  so,  what 

20  information  —  what  information  may  have  been  logged. 

21  Q.  And  what  did  you  find? 

22  A.  We  identified  the  Adium  program  was  installed. 

23  Q.  And  what  is  Adium? 
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A.  Adium  is  a  chat  program  used  on  the  OS  X. 

Q.  And  did  you  find  any  chat  logs  in  the  Adium  program? 

A.  We  did. 

Q.  And  who  were  those  chats  between? 

A.  Private  Manning  and  Adrian  Lamo. 

Q.  Did  the  Adium  application  contain  evidence  of  any  other 
communications  ? 

A.  Yeah.  We  looked  in  Private  Manning's  buddy  list  for  the 
Adium  program  to  see  who  —  who  else  he  might  have  been  communicating 
with.  We  identified  one  entry  that  was  of  interest  indicating  the 
chat  account  "pressassociation"  was  associated  with  an  alias  of 
Julius  —  Julian  Assange. 

Q.  All  right,  let's  back  up  a  little  bit.  What's  a  what's  a 
"buddy  list"? 

A.  "Buddy  list"  is  your  list  of  friends  or  contacts  that  you 
would  be  chatting  with  in  a  chat  program. 

Q.  And  what  is  an  alias  - 

A.  Ah - 

Q.  -  as  you're  talking  about  in  —  in  this  context? 

A.  -  in  this  context  an  alias  would  be  a  nickname  or  user 

supplied  contact  name. 

Q.  And  the  name  Julian  Assange  was  associated  with  what 
account? 
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A.  The  chat  account  "pressassociation" . 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  120  for  Identification  [retrieving  the  document 
from  the  court  reporter].  I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  120  for  Identification  [handing  the  document 
to  the  witness] . 

Q.  Do  you  recognize  those  images,  Mr.  Johnson? 

A.  I  do  [looking  at  the  document] . 

Q.  And  what  are  they? 

A.  The  first  one  here  is  the  —  an  excerpt  of  the  buddy  list 
showing  the  contact  "pressassociation"  associated  with  Julian 
Assange.  The  second  is  an  excerpt  obtained  from  an  unallocated 
clusters  referring  to  "pressassociation"  from  Nathaniel  —  with  the 
alias  of  a  Nathaniel  Frank. 

ATC [CPT  MORROW]:  Permission  to  publish,  Your  Honor. 

MJ:  Granted. 

Q.  All  right.  Let's  look  at  page  one  of  Prosecution  Exhibit 
120  for  ID.  Can  you  just  repeat  —  or  just  explain  the  image  as  it 
appears  on  the  screen,  please  [referring  to  the  projection  screen  in 
the  courtroom] ? 

A.  Yeah.  This  is  an  excerpt  contained  from  the  buddy  list. 

It  shows  the  buddy  account,  a  Dawg  network,  which  is  associated  with 
Private  Manning  on  his  computer.  The  chat  remote  person  is 
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"pressassociation"  at  Jabber. CCC. DE,  what  I  typically  refer  to  as 
"pressassociation",  the  alias  below  it  is  Julian  Assange,  which  is 
the  nickname. 

Q.  And  what's  Jabber . CCC . DE? 

A.  That  is  a  remote  host  that  is  used  for  Jabber 
Communications . 


Q. 

And  what's  "Jabber"? 

A. 

"Jabber"  is  a  — a  chat  network;  it's  used  by  a  number  of 

sources.  Until  fairly  recently  it  was  compat  —  very  similar  to 


Google 

Talk. 

Q. 

And  where  did  you  find  this  on  the  computer? 

A. 

This  one  was  found  in  the  ADIUM's  configuration  folder. 

Q. 

On  so  on  the  allocated  side  or  unallocated  side? 

A. 

This  one  is  allocated,  sir. 

Q. 

I'm  going  to  show  you  page  two  of  Prosecution  Exhibit  120 

for  ID. 

Can  you  explain  this  image,  please  [projecting  an  image  of 

the  document  on  the  projector  screen] ? 

A.  This  one  is  an  excerpt  taken  from  an  unallocated  cluster, 
which  appears  to  have  been  a  deleted  or  removed  entry  for  that  same 
"pressassociation"  account,  also  associated  with  Dot  network.  This 
time,  however,  it's  showing  the  alias  of  Nathaniel  Frank. 

Q.  And  where  did  you  find  this  —  find  this  information  on  the 
computer? 
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A.  This  is  an  —  an  unallocated  cluster,  sir. 

Q.  And,  again,  what  does  that  mean  for  the  for  the  Court? 

A.  Unallocated  clusters  for  our  purposes  today  will  be  deleted 
files  —  contents  of  formal  —  former  files. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 
Prosecution  Exhibits  —  Prosecution  Exhibit  120  for  ID  into  evidence 
[handing  the  document  to  the  Military  Judge] . 

ADC [CPT  TOOMAN] :  No  objection. 

MJ:  Prosecution  Exhibit  120  for  Identification's  admitted. 

Q.  Now,  Mr.  Johnson,  we  talked  about  this  before,  but  how  do 
you  search  unallocated  space  on  a  computer? 

A.  It  would  depend  on  the  situation.  Often  times  we're  using 
keyword  searches  to  try  —  for  things  we  already  know. 

Q.  Just  —  can  you  give  me  an  example? 

A.  For  example,  in  this  case  I  would  be  looking  for 

"pressassociation"  or  Nathaniel  Frank. 

Q.  And  so  you'd  use  —  now  how  would  you  use  that  keyword  with 
a  forensic  tool? 

A.  We  use  the  keyword  search  in  the  EnCase  forensic  tool  to 
find  a  list  of  matches. 

Q.  So  after  you  found  the  "pressassociation"  account  in  the 
unallocated  space,  what  did  you  do  next? 
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1  A.  Well,  now  that  we  have  an  additional  alias  of  Nathaniel 

2  Frank,  we're  going  to  look  for  other  chats  with  that  alias  associated 

3  with  "pressassociation"  to  see  if  there  was  any  other  remnants  of 

4  that  account. 

5  Q.  And  what  did  you  find? 

6  A.  We  found  a  log  —  a  large  list  of  other  —  what  appear  to 

7  be  chats  with  Nathaniel  Frank  —  between  Nathaniel  Frank  and  Bradley 

8  Manning. 

9  Q.  And  where  did  you  find  these  chats  on  the  computer? 

10  A.  Unallocated  space,  sir. 

11  Q.  And  were  these  chats  --  was  it  all  in  one  file,  like  all 

12  put  together? 

13  A.  No.  They  were  in  a  number  of  chunks  some  —  split  up 

14  through  the  unallocated  space. 

15  Q.  And  were  the  chats  readable  to  humans? 

16  A.  They  are  readable,  but  they  are  fragments  of  XML  used  by 

17  Adium,  so  they're  ease  —  they're  readable  but  they're  not  easy  to 

18  parse  by  a  human  contact. 

19  Q.  You  said  XML.  What  is  XML? 

20  A.  XML  is  a  language  used  by  a  number  of  applications,  web 

21  browsers,  and  other  applications.  It's  intended  for  ease  of 

22  computers  to  parse  data.  It's  not  really  intended  for  human 

23  consumption,  but  it  is  readable. 
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1  Q.  Now,  when  you  —  when  you  read  through  the  contents  of 

2  these  chat  logs  in  the  unallocated  space,  what  stood  out  to  you? 

3  A.  They  appear  to  be  discussing  government  information. 

4  Q.  Now,  my  understanding  of  unallocated  space  is  that  there's 

5  generally  not  a  date  associated  with  the  information.  Do  these  chat 

6  logs  have  dates? 

7  A.  Yes,  they  did.  That's  true,  when  in  unallocated  space,  we 

8  often  lose  the  metadata  associated  with  the  file  because  the  file  is 

9  no  longer  there.  However,  in  this  particular  case  the  date  and  time 

10  with  the  chats  is  actually  logged  as  part  of  the  chat  log  entry 

11  itself,  so  it  was  recoverable. 


12 

Q. 

And  once  you  identified 

the  chats  in  the  unallocated  space, 

13 

what  did 

you  do  next? 

14 

A. 

After  we  identified  the 

—  the  entries,  we 

carved  them  out 

15 

using  EnCase,  sent  them  out  to  an 

external  file  so  I 

could  make  them 

16 

more  easy 

to  read. 

17 

Q. 

And  what  form  did  you  put  the  chats  at  that 

point? 

18 

A. 

I  converted  them  into  an 

Excel  spreadsheet. 

19 

Q. 

Now,  when  you  converted 

the  chats  did  alter 

the  content  in 

20 

any  way? 

21 

A. 

No,  sir. 

22 

Q. 

And  how  did  you  organize 

—  organize  these 

chats  in  the 

23 

spreadsheet? 
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A.  They  were  organized  by  date  and  time. 

ATC[CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  123  for  Identification  [retrieving  the  document 
from  the  court  reporter].  I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  123  for  Identification  [handing  the  document 
to  the  witness] . 

Q.  Mr.  Johnson,  do  you  recognize  that  document? 

A.  I  do  [looking  at  the  document] . 

Q.  And  what  is  it? 

A.  This  is  the  contents  of  the  spreadsheet  I  created  from  the 
chats  extracted  from  the  unallocated  space  between  Bradley  Manning 
and  the  alias  of  Nathaniel  Frank. 

ATC [CPT  MORROW]:  And  —  permission  to  —  actually,  hold  on  one 
second. 

Q.  Now,  did  you  create  this  document? 

A.  Yes,  sir. 

Q.  And  I  assume  when  you  created  the  document  it  was  a  digital 
file,  is  that  correct? 

A.  Yes,  sir. 

Q.  Is  this  how  the  document  would  appear  if  printed? 

A.  Yes,  sir. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  --  well. 
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Q.  What's  the  first  date  of  the  chats  that  you  were  able  to 


recover? 

A.  March  5th,  2010. 

Q.  And  what  was  the  last  date  of  the  chats? 

A.  March  18th,  2010. 

Q.  Now,  did  you  recover  chats  for  every  day  in  between  March 
5th  and  March  18th? 

A.  I  don't  believe  we  have  every  single  date.  I  don't  recall 
specifically.  [Looking  through  the  document]  No,  there's  --  there 
are  dates  missing,  sir. 

Q.  Now,  are  —  is  this  the  extent  of  the  chats  you  were  able 
to  recover  in  the  unallocated  space? 

A.  Yes,  sir. 

Q.  And  you  said  something  about  government  information 
earlier.  What  government  information  did  they  discuss  or  did  the 
parties  discuss  in  the  chat  logs? 

A.  They  have  a  variety  of  topics  here.  Specifically  they  were 
mentioning  Iceland,  Iraq,  Afghanistan,  and  GTMO. 

Q.  And  do  the  parties  discuss  WikiLeaks? 

A.  Yes,  sir. 


ATC [CPT  MORROW]:  Your  Honor,  at  this  time  the  prosecution  moves 
to  admit  Prosecution  Exhibit  123  for  Identification  into  evidence 
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1  [retrieving  the  document  from  the  witness  and  handing  it  to  the 

2  Military  Judge] . 

3  ADC[CPT  TOOMAN] :  No  objection,  ma'am. 

4  M J:  All  right.  Prosecution  Exhibit  123  is  admitted. 

5  Q.  Mr.  Johnson,  let's  talk  about  some  of  your  other  findings. 

6  Did  you  find  any  evidence  of  connections  between  this  computer  and 

7  other  computers? 

8  A.  Yes,  sir. 

9  Q.  Can  you  explain,  please? 

10  A.  Earlier  during  chat  communications  with  Mr.  Lamo,  he  had 

11  discussed  using  SSH  or  SFTP  to  transfer  files.  So  I  looked  to  see  if 

12  he  actually  was  using  SSH  or  SFTP. 


13 

Q. 

All  right. 

So  let's 

go  very  slowly. 

14 

MJ: 

Yeah,  I  was 

going  to 

say  —  I  was  going  to  ask  you,  if  you 

15  could  speak  just  a  little  more  slowly.  I'm  having  difficulty 

16  understanding  you. 

17  WIT:  Sorry,  Your  Honor. 

18  Q.  What  is  SSH? 

19  A.  SSH  is  the  secured  shell.  It  is  a  computer  program  or 

20  computer  lang  —  protocol  used  for  creating  encrypted  communication 

21  link  between  multiple  remote  computers. 

22  Q.  And  what  is  SFTP? 
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A.  SFTP  is  a  subset  or  it  works  in  conjunction  with  SSH.  It 
stands  for  the  secure  file  transfer  protocol.  It  is  to  allow  for 
transferring  of  files  over  the  SSH  communication  link. 

Q.  Now,  when  you  looked  at  the  —  first  of  all,  where  did  you 
find  this  SSH  information? 

A.  We  found  it  in  the  known  hosts  file.  That  is  a  file  that 
contains  public  key  information  of  remote  hosts  that  have  been 
connected  to  at  least  once. 

Q.  And  what  do  you  mean  by  "public  key  information"? 

A.  SSH  uses  public  key  cryptography  to  handle  the  encryption 

between  the  hosts.  The  public  key  is  stored  locally  so  that  you  are 
able  to  encrypt  the  communication  to  the  remote  recipient. 

Q.  And  what  did  you  observe  in  this  known  host  file? 

A.  Well,  we  saw  several  IP  addresses  and  a  URL  connecting  to 

ports  that  are  unusual  for  SSH.  They  stood  out  because  of  that. 

Q.  And  were  you  able  to  resolve  where  these  connections  were 
made  to? 

A.  Yes,  sir. 

Q.  And  where  were  they  made  to? 

A.  The  IP  addresses  and  domain  names,  one  of  them  could  be 
traced  back  by  CCO  investigations  to  Verizon  Communications  that 
ultimately  resolved  back  to  Bradley  Manning's  aunt.  The  others 
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resolved  back  to  an  ISP  known  as  PRQ  known  to  be  associated  with 
WikiLeaks . 

Q.  And  did  you  find  any  emails  on  the  computer? 

A.  We  did. 

Q.  And  where  did  you  find  emails? 

A.  In  his  Thunderbird  email  cache. 

Q.  And  what  is  "Thunderbird"? 

A.  "Thunderbird"  is  a  client  email  program  similar  to  Outlook 
used  on  a  number  of  operating  systems  including  the  Mac. 

Q.  And  when  you  say  "a  cache",  what  do  you  mean  by  that? 

A.  There's  actually  email  in  this  case  was  a  Gmail  account, 

which  is  normally  a  storage  server  site,  but  when  it's  connected  to 
it'll  download  it  and  store  it  locally  or  offline  use  or  for  speed. 

Q.  So  this  email  was  stored  locally  on  the  computer? 

A.  Yes,  sir. 

Q.  And  what  did  you  do  with  the  email  you  found  on  this 
computer? 

A.  We  looked  through  the  email  to  see  if  there  was  any 
relevant  content. 

Q.  And  what  do  you  mean  by  "relevant  content"?  What  were  you 
looking  for? 

A.  Specifically  classified  information,  discussions  of 
government  information  and  the  like. 
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1  Q.  And  what  did  you  find  in  this  email? 

2  A.  We  identified  a  number  of  PGP  or  GPG  encrypted  emails. 

3  Q.  All  right,  so  let's  start  slowly  with  that  again.  What's 

4  "PGP"? 

5  A.  "PGP"  is  Pretty  Good  Privacy;  a  public  key  based  encryption 

6  mechanism  used  for  —  predominantly  with  email.  And  "GPG"  is  the 

7  open  source  clone  of  that. 

8  Q.  So  they're  basically  the  sort  —  sort  of  the  same? 


9 

A. 

They  are  entirely  compatible  with  one 

another. 

10 

Q. 

Now,  you  said  --  were  these  messages 

encrypted? 

11 

A. 

Yes,  sir. 

12 

Q. 

Did  you  find  unencrypted  messages? 

13 

A. 

I  did. 

14 

Q. 

And  was  there  anything  of  interest  in 

some  of  the 

15  unencrypted  messages? 

16  A.  The  unencrypted  message  indicated  potentially  a  discussion 

17  of  classified  information. 

18  Q.  So  let's  go  back  to  —  you  mentioned  --  you  mentioned 

19  public  keys  a  number  of  times.  If  an  email  is  encrypted,  how  does 

20  the  other  party  read  the  email? 

21  A.  With  public  key  cryptography,  in  the  case  of  - 

22  Q.  Can  you  speak  up  a  little  bit,  Mr.  Johnson? 
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A.  I'm  sorry.  Pardon  me.  I'm  not  a  loud  talker.  When  — 
public  key  cryptography  is  a  concept  of  only  —  you  only  want  to  be 
able  to  —  the  authorized  recipient  to  be  able  to  decrypt  your 
message.  PGP  does  this  and  so  does  our  CAC  based  authentication; 
they  use  the  same  principles.  The  public  key  is  from  the  recipient; 
you  have  a  corresponding  secret  key.  They  work  mathematically  with 
each  other,  so  I  can  encrypt  messages  to  someone  and  I  can  receive 
messages  from  them,  but  only  that  person  can  decrypt  them. 

Q.  Now,  how  does  a  forensic  examiner  go  about  decrypting  email 
they  find? 

A.  Well,  on  this  particular  machine  I  can  only  decrypt  the 
information  that's  been  sent  to  me.  I  cannot  see  the  messages  that 
are  being  sent  out  because  I  don't  have  the  recipient's  public  key, 
but  I  do  have  the  public  key  —  or  the  secret  key  for  Private  Manning 
because  it's  on  his  computer.  All  I  have  to  identify  is  the  password 
necessary  to  open  that  private  key. 

Q.  And  were  you  able  to  find  the  password  for  this  private 

key? 

A.  I  was. 

Q.  And  how'd  you  locate  that? 

A.  Well,  when  we  have  —  we  have  to  decrypt  things,  we  have  to 
try  to  figure  out  the  password.  And  one  of  the  things  we're  going  to 
look  at  is  has  he  used  passwords  that  we  know  about  from  the  past. 
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1  In  the  passphrase  for  his  PGP  private  key  was  the  same  as  his  log-in 

2  password  for  the  Mac. 

3  Q.  And  what  do  you  mean  by  a  log-in  password  for  the  computer? 

4  A.  All  user  accounts  on  the  Mac  are  going  to  have  a  log-in 

5  password  associated  with  it.  They're  normally  set  up  during 

6  installation  or  possibly  changed  at  a  later  date,  even  if  the  machine 

7  is  set  to  auto  log  on.  In  that  case  the  password  is  actually  stored 

8  on  the  hard  drive,  we  use  a  tool,  the  Mac  forensics  lab,  to  extract 

9  that  log-in  pass  word.  I  can  then  compare  that  against  and  try  it 
ist  his  PGP  and  found  it  worked. 

Q.  So  the  Mac  log-in  password  was  used  against  the  private  key 
lis  case? 

A.  Yes,  sir. 

Q.  Now,  once  you  figured  that  out,  what  were  you  able  to  do? 

A.  At  this  point  I  can  then  run  the  encrypted  messages  through 
myself  and  decrypt  them. 

Q.  And  did  —  did  you  review  the  decrypted  email? 

I  did. 

Q.  And  what  did  you  find? 

A.  I  found  discussions  of  classified  information,  specifically 
21  Private  Manning's  role  in  the  release  of  the  collateral  murder  video. 
MJ:  Can  you  say  that  one  more  time? 


10 

against 

11 

Q. 

12 

in  this 

13 

A. 

14 

Q. 

15 

A. 

16 

PGP  myse 

17 

Q. 

18 

A. 

19 

Q. 

20 

A. 

21 

Private 

22 

MJ: 
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1  WIT:  Specifically  with  release  --  his  involvement  in  the  release 

2  of  the  collateral  murder  video. 

3  ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

4  Prosecution  Exhibit  41  for  Identification  [retrieving  the  document 

5  from  the  court  reporter].  I’m  handing  the  witness  what's  been  marked 

6  as  Prosecution  Exhibit  41  for  Identification  [handing  the  document  to 

7  the  witness] . 


8 

WIT: 

Yes,  sir. 

9 

Q. 

Do  you  recognize  that  document? 

10 

A. 

I  do. 

11 

Q. 

And  what  is  it? 

12 

A. 

This  is  one  of  the  emails  between  Bradley  Manning  and  Mr 

13  Eric  Schmiedel  obtained  from  his  email  account  discussing  classified 

14  information. 

15  Q.  And  can  you  just  read  —  well,  actually  let  me  — 

16  permission  to  publish  to  the  Court,  Your  Honor. 

17  MJ:  Go  ahead. 

18  ATC [CPT  MORROW]:  I'm  just  going  to  publish  Page  1. 

19  Q.  Mr.  Johnson,  is  this  the  email  you  reviewed  in  PFC 

20  Manning's  computer  —  or  at  least  one  of  emails  you  reviewed 

21  [referring  the  document  in  the  projection  screen] ? 

22  A.  Yes,  sir. 
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1  Q.  And  just  can  you  point  out  in  the  email  the  information  we 

2  were  talking  about  earlier? 

3  A.  On  this  case  what  you  can  see  here  is  an  email  thread.  If 

4  you  look  about  three-fourths  of  the  way  down  you  can  see  where  you're 

5  seeing  Bradley  Manning's  reply.  This  is  the  few  answers  I  have 

6  various  other  questions,  and  the  very  next  line  there,  I  approve  the 

7  edits  without  reviewing  the  video.  If  you  go  back,  you  can  see  from 

8  this  whole  thing  at  the  top  here,  my  objection  to  collateral  murder. 

9  This  whole  email  is  in  relation  to  the  collateral  murder  video. 

10  Q.  And  does  the  email  discuss  other  government  information 

11  that  PFC  Manning  allegedly  compromised? 

12  A.  Yes,  sir.  We  have  a  number  of  state  department  cables 

13  being  discussed. 

14  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

15  Prosecution  Exhibit  41  for  Identification  into  evidence. 

16  ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

17  MJ:  May  I  see  it,  please? 

18  [The  assistant  trial  counsel  handed  the  document  to  the  Military 

19  Judge.] 

20  MJ:  Prosecution  Exhibit  41  for  Identification's  admitted. 

21  Q.  Mr.  Johnson,  I  want  to  talk  to  —  or  shift  to  some  of  the 

22  capabilities  of  this  computer.  This  —  did  this  computer  have  a  CD  - 

23  -  a  CD  or  a  DVD  system? 
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1  A.  It  did. 

2  Q.  And  are  there  any  ways  to  tell  whether  a  CD  has  been  —  or 

3  a  CD  or  a  DVD  has  been  written  to  or  erased? 

4  A.  Yes,  sir. 

5  Q.  And  how  would  you  tell  that? 

6  A.  In  this  case  the  operating  system  contains  a  disk  recording 

7  log  that  keeps  track  of  the  number  of  actions  related  to  the 


operation  or  eraser  or  erasure  —  re-erasure  of  rewritable  disks. 


10 

A. 

11 

Q. 

12 

A. 

13 

Q. 

14 

find? 

15 

A. 

16 

written  i 

17 

Q. 

18 

A. 

19 

ATC 

20 

Prosecut: 

21 

marked  a: 

22 

document 

23 

Q. 

Q.  And  where  did  you  find  this  disk  recording  log? 

It's  in  the  log  folder. 

And  is  this  —  how  is  this  information  created? 

It's  maintained  by  the  operating  system  itself. 

And  when  you  reviewed  the  disk  recording  log,  what'd  you 

A.  We  found  indications  of  a  number  of  optical  medias  being 


Q.  Can  you  say  that  again,  please?  I'm  sorry. 

A.  Written  and  erased. 

ATC [CPT  MORROW]:  I'm  going  to  show  you  what's  been  marked  as 

20  Prosecution  Exhibit  124  for  ID.  I'm  handing  the  witness  has  been 

21  marked  as  Prosecution  Exhibit  124  for  Identification  [handing  the 
ment  to  the  witness] . 

Q.  Mr.  Johnson,  can  you  review  that  document,  please? 
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1  [The  witness  did  as  directed.] 

2  A.  It's  the  wrong  document. 

3  Q.  Do  you  recognize  the  document? 

4  A.  If  this  is  the  disk  utility  log. 

5  ATC [CPT  MORROW]:  I'm  sorry.  I  retrieved  the  wrong  exhibit.  My 

6  apologies.  One  moment  [retrieving  the  document  from  the  witness  and 

7  handing  him  another  document] . 


8 

Q. 

What  is  the  document,  Mr.  Johnson? 

9 

A. 

This  is  the  contents  of  what  appears  to 

be  the 

disk 

utility 

10 

log  [looking  at  the  document].  I'm  sorry,  sir. 

This  is 

•correct . 

11 

This  is  the  disk  recording  log.  I  do  apologize. 

12 

MJ: 

I'm  sorry.  It's  a  what? 

13 

WIT: 

Disk  recording  log. 

14 

MJ: 

Disk  recording  log? 

15 

ATC [CPT  MORROW]:  It's  a  disk  recording  log. 

16 

MJ: 

Thank  you. 

17 

WIT: 

I  do  apologize.  I  was  thrown  off  here. 

I  haven't 

seen 

18 

this  with 

the  line  numbers  until  today. 

19 

Q. 

Yeah.  Did  you  —  did  you  create  —  or 

did  you 

extract  that 

20 

document 

from  the  — — 

21 

A. 

Yes,  sir. 

22 

Q. 

Now,  what's  different  about  this  document  from 

what 

you 

23 

extracted? 
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A.  It  has  had  line  numbers  appended  to  it  for  clarity. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor. 

MJ:  Go  ahead. 

Q.  I'm  showing  you  Page  1  of  the  disk  recording  log.  Mr. 
Johnson,  when  was  the  first  recording  of  a  disk  being  written  to  or 
erased  [referring  to  the  document  on  the  projection  screen]? 

A.  The  log  is  indicating  that  the  first  one  in  this  case  was 
January  30  of  2010. 

Q.  And  I'm  going  to  show  you  the  last  page  of  this  exhibit. 
Page  5  [referring  to  the  projection  screen] .  What  is  the  last 
recording  in  this  case? 

A.  April  30th,  2010. 

Q.  And  what's  that  showing  in  line  189  ? 

A.  That  an  erasure  has  occurred. 

Q.  And  what  does  that  mean? 

A.  A  rewritable  disk,  in  this  case  a  CD  rewritable,  has  been 
erased. 

Q.  Now,  if  you  —  if  I  showed  you  every  page  of  this  log,  what 
type  of  information  is  contained? 

A.  You'll  see  a  number  of  those  series  of  both  erasures  and 
burns . 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 
Prosecution  Exhibit  124  for  Identification  into  evidence. 
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1  ADC [CPT  TOOMAN] :  No  objection.  Your  Honor. 

2  MJ:  Prosecution  Exhibit  124  is  admitted. 

3  Q.  Now,  in  a  disk  recording  log,  could  you  tell  what  files 

4  were  on  those  CDs? 

5  A.  No,  sir. 

6  Q.  And  at  any  time  in  this  case  or  during  your  examination  did 

7  you  search  for  file  names  that  may  have  been  on  CDs  that  were  burned 

8  or  erased? 

9  A.  Yes,  sir. 

10  Q.  And  what  did  you  find? 

11  A.  Previously  I  had  identified  a  CD  that  had  been  obtained 

12  from  Private  Manning's  housing  unit  made  in  Iraq.  We  had  a  file  name 

13  on  that  disk  that  was  provided  to  me.  We  searched  for  that  file  name 

14  on  the  disk  image  of  his  Mac. 

15  Q.  And  do  you  recall  the  file  name? 

16  A.  I  don't  recall  the  entire  file  name,  but  it  was  partially 

17  engagement  video. 

18  ATC [CPT  MORROW]:  I'm  going  to  show  you  what's  been  marked  as 

19  Prosecution  Exhibit  121  for  Identification. 

20  [Pause] 

21  ATC [CPT  MORROW]:  I'm  handing  the  witness  what's  been  marked 

22  Prosecution  Exhibit  121  for  Identification  [handing  the  document  to 

23  the  witness] . 
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Q.  Do  you  recognize  that  document? 

A.  I  do  [looking  at  the  document] . 

Q.  And  what  is  it? 

A.  This  is  a  portion  of  unallocated  space,  a  carved  out 
portion  that  shows  the  file  name  in  question  in  conjunction  with  some 
other  text,  specifically  the  word  volumes  and  what  appears  to  be 
additional  file  names. 

ATCfCPT  MORROW]:  Permission  to  publish.  Your  Honor. 

MJ:  Yes. 

Q.  Mr.  Johnson,  let's  go  through  this  just  —  now  slowly.  How 
is  this  document  or  image  created  [referring  to  the  document  on  the 
projection  screen] ? 

A.  We're  looking  at  the  unallocated  clusters  in  EnCase  in  a 
raw  format.  Since  we  don't  have  file  or  allocated  information,  we 
have  to  actually  look  at  it  raw.  What  you're  seeing  here  is  a 
snippet  of  that  information  it  pulled  from  that  as  I  would  see  it  in 
EnCase 's  image  —  or  viewer. 

Q.  Now,  can  you  —  using  this  image,  can  you  describe  for  the 
Court  the  keyword  you  searched  in  order  to  find  it? 

A.  If  you  look  for  the  —  and  then  right  there  sort  of  in  the 
middle  of  the  page  the  July  07  CZ  engagement  zone,  the  engagement 
zone  is  what  I'm  looking  for.  And  what  you  can  see  here  around  it  is 
information  that  was  obtained  or  related  to  it,  specifically  to  the 


8448 


o 


o 


1  left  you  can  see  the  word  "volumes"  and  some  numbers.  Putting  all 

2  that  together  is  a  clue. 

3  Q.  And  what  does  "volumes"  mean  to  you? 

4  A.  On  the  Mac  operating  system  the  "volumes"  is  used  as  a 

5  mounting  point;  that  being  you  have  to  attach  external  media  or 

6  removable  media,  whether  that  be  CDs,  DVDs,  external  hard  drives,  et 

7  cetera,  they  have  to  be  attached  to  the  system  so  you  can  view  'em. 

8  Mac  uses  the  word  "volumes"  as  their  mounting  point. 

9  Q.  So  "volumes"  —  what  does  "volumes"  indicate  to  you  then? 

10  A.  Seeing  a  fragment  like  this  in  conjunction  with  a  file  name 

11  that  I'm  looking  for  would  indicate  to  me  that  that  —  a  file  with 

12  that  name  was  possibly  contained  on  external  media. 

13  Q.  External  media  that  was  inserted  into  the  computer? 

14  A.  Yes,  sir. 

15  Q.  Now,  once  you  found  this  excerpt  in  the  unallocated  space, 

16  what  did  you  do  next? 

17  A.  Now  that  I  see  that  he's  got  external  media  with  content 

18  that's  potentially  relevant,  I  want  to  see  if  there's  anything  else 

19  of  similar  nature,  so  I'm  looking  for  other  volumes  that  might  have 

20  been  attached. 

21  Q.  And  what  did  you  do  when  you  —  did  you  find  any  other 

22  volumes  that  might  have  been  attached  or  any  external  —  or  evidence 

23  of  any  external  media  being  attached  to  the  computer? 
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A.  We  did. 

Q.  And  what  did  you  do  once  you  found  those  other  files  or 
references? 

A.  I  went  to  find  the  other  volumes  by  using  a  pattern.  And 
doing  so  I  found  a  large  number  of  matches  for  the  pattern.  After  I 
find  those  I  identified  all  of  them  and  extracted  them  out  to  my 
examination  work  station. 

ATC [CPT  MORROW]:  I'm  showing  you  what's  been  marked  as 
Prosecution  Exhibit  127  for  Identification. 

[Pause] 

ATC [CPT  MORROW]:  Mr.  Johnson,  I'm  handing  you  what's  been  marked 
as  Prosecution  Exhibit  127  for  Identification  [handing  the  document 
to  the  witness].  And  I'm  going  to  hand  the  court  reporter  121  for 
Identification. 

Q.  Do  you  recognize  that  document? 

A.  I  do  [looking  at  the  document] . 

Q.  And  what  is  it? 

A.  This  is  the  contents  of  a  text  file  that  I  created  showing 
all  of  the  volumes  that  we  extracted  from  unallocated  space. 

Q.  And  how  did  you  create  this  text  file? 

A.  Well,  after  we  find  all  the  matches  in  unallocated  space, 

we  carve  out  just  the  portion  relevant  I'm  looking  for;  in  this  case 
the  —  what  appears  to  be  file  paths.  I  pulled  them  out  into  a  text 
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file  where  I  can  manipulate  it  to  make  it  easier  to  read;  in  this 
case  removing  duplicates,  sorting  it,  and  creating  this  document. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor. 

MJ:  Go  ahead. 

Q.  Mr.  Johnson,  I'm  just  going  to  show  you  the  first  page 
[referring  to  the  document  on  the  projection  screen] .  Can  you  see 
that? 

A.  Yes,  sir. 

Q.  Can  you  —  how  was  this  —  or  how  did  you  organize  this 
document? 


A.  It  was  sorted. 

Q.  Sorted  by  what? 

A.  Alphabetical. 

Q.  Is  this  sorted  by  date? 

A.  It  would  be  —  yes,  sir. 

Q.  Let's  just  go  through  one  line  --  just  line  —  we'll  say 
line  7;  can  you  just  explain  from  left  to  right  the  information 
contained? 


A.  Sure.  What  you  see  here  after  it  was  extracted  is  what 
appears  to  be  the  full  path,  the  volume  being  the  mount  that  I 
discussed  earlier.  The  next  thing  would  be  the  volume  name.  All 
media  has  to  have  some  sort  of  name,  so  in  this  case  it  appears  to  be 
using  a  date  and  time  as  its  name,  which  is  common.  And  then  the 
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last  portion  there  you  see  line  7,  lOReykj avikl3 . text  would  be  a  file 
—  likely  be  a  file  name. 

Q.  Now,  let's  just  back  up  just  a  little  bit.  I  see 
100215_0621  in  line  7.  What  does  that  mean? 

A.  As  I  mentioned,  all  volumes  or  external  media  have  to  have 
a  name  of  some  sort.  If  you  don't  specify  one,  whatever  application 
was  used  to  create  it  will  have  to  come  up  with  one,  and  in  most  — 
in  many  cases  a  date  and  time  is  used  as  that  default,  and  that 
appears  to  be  the  case  here. 

Q.  And  would  the  Roxio  program  create  that  type  of  default 
file  name? 

A.  I  believe  it  does,  sir. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 
Prosecution  Exhibit  127  for  Identification  into  evidence. 

ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

MJ:  May  I  see  it,  please? 

[The  assistant  trial  counsel  handed  the  document  to  the  Military- 
Judge  .  ] 

M J:  Prosecution  Exhibit  127  is  admitted. 

Q.  Now,  Mr.  Johnson,  what  was  significant  about  some  of  the 
file  names  you  saw  in  the  —  Prosecution  Exhibit  127? 

A.  They  appear  to  have  a  similar  or  identical  format  to 
message  record  numbers. 
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Q.  And  what  about  some  of  the  other  ones  that  are  non-State 
Department  information? 

A.  Could  you  be  more  specific,  sir? 

Q.  For  example,  Farah.zip,  I  believe,  was  on  Page  2  — 

A.  Okay. 

Q.  —  was  there  any  evidence  of  that  file  name  being  on  PFC 
Manning's  personal  --  or  SIPRNET  computers? 

A.  I'm  sorry,  sir.  Did  you  say  his  SIPRNET  computers? 

Q.  Yeah,  SIPRNET  computer. 

A.  I  believe  that  information  was  discovered  by  our  agents. 


yes,  sir. 

Q.  Now,  let's  actually  just  roll  back  to  some  other 
information  on  the  computer.  Did  you  find  any  evidence  of  State 
Department  classified  information  or  unclassified  information  on  the 
personal  computer  of  PFC  Manning? 

A.  Yes,  sir. 

Q.  And  what  did  you  find? 

A.  We  found  a  number  of  references  to  message  record  numbers, 
which  is  a  very  unigue  structure. 

Q.  And  where  did  you  find  that? 

A.  Unallocated  space,  sir. 
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1  Q.  And  in  the  unallocated  space  or  the  allocated  space,  did 

2  you  find  any  State  Department  messages  that  were  encoded  in  basic 

3  SQL? 

4  A.  No,  sir. 

5  Q.  Did  you  find  anything  that  would  encode  a  cable  or  a  State 

6  Department  cable  in  basic  SQL? 

7  A.  Yes,  sir. 

8  Q.  And  what  did  you  find? 

9  A.  We  identified  what  appears  to  be  processing  script  intended 

10  to  convert  information  from  a  cable  to  a  Base64  common  separated 

11  value  format. 

12  Q.  And  did  you  attempt  to  use  this  script? 

13  A.  I  did. 

14  Q.  And  just  describe  the  process  of  using  the  script  —  just 

15  go  through  it  with  the  Court,  please. 

16  A.  Well,  after  we  review  the  contents  of  the  script,  we 

17  actually  read  through  the  content  to  see  what  it  might  do.  We  can 

18  see  some  very  distinct  things.  That  it  has  fields  related  to  message 

19  record  numbers,  classification  in  Base64.  We  also  see  a  hard  coded 

20  path  pointing  directly  to  Private  Manning's  home  directory.  After  we 

21  extracted  that  script,  we  executed  it  using  some  sample  cables 

22  provided  and  it  generated  the  output  expected. 
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1  Q.  So  what  did  it  --  so  just  let's  take  the  50,000-foot  view. 

2  What  did  you  put  in  and  what  did  it  spit  out? 

3  A.  The  input  is  HTML  files  of  State  Department  cables;  the 

4  output  is  the  common  separated  value  file. 

5  Q.  And  what  was  --  with  Base64  encoded? 

6  A.  Yes,  sir. 

7  Q.  Now,  did  you  find  any  evidence  that  this  computer  uploaded 

8  information  to  the  WikiLeaks  website? 

9  A.  We  found  fragments  of  what  appear  to  be  references  to  the 


10 

WikiLeaks 

page  showing  uploads  of  several  file  names. 

specifically 

11 

file  segment  fragments  to  WikiLeak's  page. 

12 

Q. 

And  where  did  you  find  this  evidence? 

13 

A. 

It's  in  unallocated,  sir. 

14 

Q. 

And  what  —  what  files  appear  to  have 

been 

uploaded 

to  the 

15 

WikiLeak' 

s  web  page? 

16 

A. 

What  appear  to  be  file  name  fragments 

are  Farah.RAR 

in 

17 

segments . 

18 

MJ: 

I'm  sorry,  what? 

19 

WIT: 

Segments . 

20 

Q. 

Let's  —  we'll  spell  it  out.  When  you 

say 

Farah  — 

You  — 

21 

I  think  your  accent  might  be  confusing.  Can  you 

just 

spell  — 

■  is  it 

22 

a  file  -- 

file  fragments  or  something? 

23 

A. 

Farah.RAR  is  F-A-R-A-H. R-A-R. 
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Q.  And  what  is  an  R-A-R  file? 

A.  RAR  is  an  RAR  archive.  It  is  a  compression  and  archiving 
format  very  similar  to  the  more  common  zip  that  you're  probably 
familiar  with. 

MJ:  Like  a  zip? 

WIT:  Very  similar  to  a  zip  file,  ma'am. 

Q.  And  when  you  found  this  information,  I  mean,  did  you  find 
the  actual  files  in  this  --  in  part  of  the  computer? 

A.  No,  sir. 

Q.  So  what  exactly  did  this  information  convey  or  what  did  it 
tell  you  when  you  saw  this  information  in  the  unallocated  space? 

A.  I'm  seeing  what  appears  to  be  these  file  names  in 
conjunction  with  URL,  indicating  it  was  being  —  in  conjunction  with 
what  appears  to  be  an  upload  URL.  Also,  it  was  a  series  of  these  in 
conjunction  with  one  another  also  indicating  some  —  what  appear  to 
be  dates  and  times.  And  finally  at  the  end  of  that  the  phrase 
"upload  complete". 

Q.  Now,  when  you  say  there  was  a  series  of  them,  were  they 
separated  into  different  parts? 

A.  It  appeared  to  be  a  segmented  RAR  file.  What  that  means  is 
an  RAR  file  that  had  been  broken  up  into  several  smaller  pieces  and 
what  we're  seeing  here  is  the  upload  of  each  segment. 
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Q.  Mr.  Johnson,  I  want  to  shift  gears  for  a  moment.  One  of 
the  charges  in  this  case  involves  a  theft  of  a  global  address  list. 
Did  you  find  anything  related  to  emails  or  global  address  lists  in 
your  review  of  this  computer? 

A.  I  did. 

Q.  And  what  did  you  find? 

A.  Two  specific  references  of  relevance. 

Q.  What  was  the  first  one? 

A.  The  first  one  appeared  to  be,  I  would  classify  as  a  tasker 
indicating  someone  requesting  that  the  global  address  list  be 
exfiltrated. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  122  for  Identification.  Mr.  Johnson,  I'm  handing 
you  what's  been  marked  as  Prosecution  Exhibit  122  for  Identification. 

Q.  Do  you  recognize  that  image? 

A.  I  do. 

Q.  And  what  is  it? 

A.  This  is  the  contents  of  the  unallocated  space  of  the  tasker 
I  discovered. 

Q.  And  is  that  the  entirety  of  the  tasker  that  you  found? 

A.  It  seems  to  be  cut  off.  I  don't  recall  if  there  was  any 

more  at  the  bottom  of  this,  sir. 
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1  Q.  If  there  was  more  in  the  tasker  would  you  have  included 

2  that  in  your  screen  shot? 

3  A.  Yes,  sir. 

4  ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor. 

5  MJ:  Go  ahead. 

6  Q.  Where  was  this  information  found  again  [referring  to  the 

7  image  on  the  projection  screen] ? 

8  A.  Unallocated,  sir. 

9  Q.  And  how  did  you  find  it  in  the  unallocated  space? 

10  A.  In  this  case  we  were  —  just  stumbled  upon  it  during  our 

11  examination  finding  it  in  other  things. 

12  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

13  Prosecution  Exhibit  122  for  Identification  into  evidence  [handing  the 

14  document  to  the  Military  Judge] . 

15  ADC [CPT  TOOMAN] :  No  objection. 

16  MJ:  Thank  you.  Prosecution  Exhibit  122  is  admitted. 

17  Q.  Now,  Mr.  Johnson,  what  was  the  —  you  mentioned  that  there 

18  were  two  things  you  found  that  were  of  interest.  What  was  the  second 

19  thing? 

20  A.  The  second  thing  was  a  large  number  of  what  appear  to  be 

21  exchange  formatted  email  addresses. 

22  Q.  And  what  do  you  mean  by  "exchange  formatted"  email 

23  addresses.  What  is  exchange? 
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A.  Exchange  is  the  Microsoft  platform  for  email  servers  and 
infrastructure  of  email. 

Q.  And  you  said  these  were  email  addresses? 

A.  Yes,  sir. 

Q.  Approximately  how  many  email  addresses  did  you  find? 

A.  A  large  number,  sir;  in  the  thousands. 

Q.  In  the  thousands? 

A.  Yes,  sir. 

Q.  Now,  where  was  this  found  on  the  computer? 

A.  Unallocated,  sir. 

Q.  Mr.  Johnson,  it  appears  that  a  lot  of  the  information  you 
found  was  in  the  unallocated  space.  Did  you  find  any  evidence  of 
this  computer  being  wiped  at  any  time? 

A.  Yes,  sir. 

Q.  And  where  did  you  find  that  evidence? 

A.  As  noted  earlier,  the  first  was  —  it  was  wiped  during  the 
installation  process.  Also,  we  identified  that  free  space  had  been 
wiped  on  a  couple  of  occasions. 

Q.  And  what  do  you  mean  by  free  space? 

A.  Free  space  is  the  unallocated  clusters. 

Q.  And  where  did  you  find  that  --  that  evidence? 

A.  The  disk  utility  log. 

Q.  And  what  is  a  disk  utility  log? 
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A.  A  disk  utility  log  is  a  log  file,  again,  maintained  by  the 
operating  system  in  conjunction  with  the  use  of  the  disk  utility 
program. 

Q.  And  is  that  log  created  by  a  user  or  is  it  created  by  the 
computer? 

A.  No.  It's  maintained  by  the  system  when  they  use  disk 
utility. 

ATC[CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  125  for  Identification.  Mr.  Johnson,  I'm  handing 
you  what's  been  marked  as  Prosecution  Exhibit  125  for  Identification. 

WIT:  Okay,  sir. 

Q.  Do  you  recognize  that  document? 

A.  I  do. 

Q.  And  what  is  it? 

A.  This  is  the  contents  of  the  disk  utility  log  obtained  from 
Private  Manning's  computer. 

Q.  And  how  was  the  —  that  document  created? 

A.  This  was  exported  from  the  disk  image  and  dropped  to  my 
examination  workstation.  They're  also  seen  - 

Q.  Where  in  —  where  in  the  log  can  you  point  me  to  that 
indicates  that  the  free  space  was  wiped? 
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1  A.  In  this  log  file  you  will  see  a  number  of  indications.  See 

2  if  I  can  find  it  and  so  you  can  see  the  example  [looking  through  the 

3  document] . 

4  Q.  I  believe  it's  —  it  should  be  towards  the  front. 

5  A.  Yeah.  I'm  trying  to  find  it  here.  Here  we  are;  Page  2. 

6  Where  you  see  secure  erase  free  space  being  first,  in  this  case, 

7  being  stopped.  Most  - 

8  ATC [CPT  MORROW]:  Stop  you  for  a  moment.  Permission  to  publish 

9  to  the  Court,  Your  Honor. 

10  MJ:  Go  ahead. 

11  ATC [CPT  MORROW]:  I'm  going  to  publish  Page  2. 

12  WIT:  Here  you  go  [handing  the  document  to  the  assistant  trial 

13  counsel] . 

14  Q.  Can  you  point  out  the  line,  Mr.  Johnson,  that  indicates 

15  that  the  free  space  was  wiped  [referring  to  the  image  on  the 

16  projection  screen] ? 

17  A.  There  are  two.  The  first  one  you  see  in  line  67  starts  the 

18  process  of  running  the  secure  erase  —  erase  free  space  for 

19  unallocated  clusters.  This  one  was  canceled;  it  stopped. 

20  Q.  And  why  was  it  canceled? 

21  A.  I  --  my  experience  would  be  it  was  canceled  because  - 

22  ADC [CPT  TOOMAN] :  Objection. 

23  MJ:  Yes. 
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1  ADC [CPT  TOOMAN] :  This  witness  wouldn't  be  able  to  testify  as  to 

2  why  this  particular  process  was  canceled. 

3  MJ:  Are  you  talking  about  line  67  ? 

4  WIT:  That's  the  start  of  it,  ma'am. 

5  MJ:  Okay. 

6  WIT:  It's  a  block.  It  completes  at  line  76  in  this  block. 

7  ATC [CPT  MORROW]:  Well  - 


8  MJ:  Why  don't  you  ask  some  additional  foundation  questions? 

9  ATC [CPT  MORROW]:  I'll  ask  him  a  couple  different  questions. 

10  Q.  Mr.  Johnson,  I'll  refer  you  to  line  70.  What  does  that 

11  line  indicate  to  you? 

12  A.  It  indicates  the  option  to  use  a  35-pass  erase  option. 

13  There  are  several  options  with  secure  erase. 

14  Q.  Now,  what  does  a  35-pass  erase  option  indicate? 

15  A.  Thirty-five  passes  means  the  operating  system  will 

16  literally  wipe  the  drive  35  times. 

17  Q.  And  that's  an  option  that  you  can  select  when  you're 

18  choosing  to  - 

19  A.  Yes,  sir.  There  are  several  options,  the  35-pass  being  one 

20  of  them. 

21  Q.  Now,  I'll  refer  you  to  line  74.  Can  you  --  can  you  explain 

22  what's  conveyed  by  that  line? 
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1 

A. 

It  indicates  that  it  was  stopped  at  43  seconds,  indicating 

2 

it  was  likely  canceled  'cause  it  would  not  have  completed  in 

43 

3 

seconds . 

4 

Q. 

And  how  long  —  in  your  experience,  how  long  does 

a  35-pass 

5 

erase  take? 

6 

A. 

It  will  depend  on  the  size  of  the  drive,  but  many. 

many 

7 

hours,  even  days  in  some  cases. 

8 

Q. 

And  now  I'll  refer  you  to  line  79.  What  does  that 

line 

9 

convey? 

10 

A. 

This  indicates  a  7-pass  free  space  erase;  another 

option 

11 

available 

12 

Q. 

And,  again,  what  would  a  —  what  would  the  computer  do  with 

13 

a  7-pass 

erase? 

14 

A. 

It  will  erase  7  times  versus  35. 

15 

Q. 

And  what  was  the  result  of  that  7-pass  erase? 

16 

A. 

This  pass  did  complete. 

17 

Q. 

And  how  do  you  know  that? 

18 

A. 

It's  indicated  in  line  85. 

19 

Q. 

Line  85? 

20 

A. 

Yes,  sir.  Or  line  85  and  line  86,  if  you  wish. 

21 

Q. 

And  how  long  did  it  take  to  —  for  the  computer  to 

complete 

22 

the  7-pass  erase? 

23 

A. 

Three  hours  and  48  minutes. 

8463 


o 


o 


1  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

2  Prosecution  Exhibit  125  for  Identification  into  evidence. 

3  ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

4  MJ:  Can  I  see  it,  please? 

5  [The  assistant  trial  counsel  handed  the  document  to  the  Military 

6  Judge.] 

7  MJ:  Prosecution  Exhibit  125  for  Identification's  admitted. 

8  Q.  Now,  Mr.  Johnson,  based  on  what  you  reviewed  in  the  install 

9  log  and  what  you've  reviewed  in  the  disk  utility  log,  what  can  you  — 

10  what  can  you  say  about  what  is  able  to  be  recovered  from  this 

11  computer? 

12  A.  All  we  can  say  is  all  of  the  allocated  files  in  this  system 

13  have  been  created  subsequent  to  its  installation  on  January  25th. 

14  However,  all  of  the  unallocated  is  after  the  last  free  space  —  free 

15  space  wipe  on  January  31st. 

16  Q.  So  just  —  just  in  short,  what  are  the  pertinent  dates  for 

17  —  in  terms  of  the  information  that  can  be  recovered  on  the  computer? 

18  A.  Nothing  can  be  recovered  prior  to  25  January.  Nothing  in 

19  unallocated  space  can  sub  —  prior  to  31  January. 

20  ATC [CPT  MORROW]:  Thank  you,  Mr.  Johnson. 

21  ADC [CPT  TOOMAN]:  Ma'am,  the  defense  requests  a  10  minute  comfort 

22  break  before  we  begin  cross-examination. 

23  MJ:  All  right.  Any  objection? 
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TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  Court  is  in  recess  until  20  minutes  till  11. 

[The  court-martial  recessed  at  1037,  12  June  2013.] 

[The  court-martial  was  called  to  order  at  1049,  12  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  The  witness  is  on  the  witness  stand.  Anything  we  need  to 
address? 

TC [MAJ  FEIN]:  Yes,  ma'am.  A  quick  administrative  note.  At  the 
start  of  today's  session.  Your  Honor,  there  were  12  members  of  the 
media  in  the  media  operations  center,  one  stenographer,  and  the 
public  affairs  office  will  be  able  to  accommodate  the  hot  spot  being 
the  stenographer  starting  today. 

MJ:  All  right. 

TC [MAJ  FEIN]:  Also,  the  overflow  trailer  as  of  the  end  of  this 
previous  recess  or  at  the  end  of  the  session,  going  into  the  recess, 
was  not  being  used  in  the  spectator  area,  and  the  court-martial 
presently  is  not  at  full  capacity. 

MJ:  All  right.  Thank  you.  Cross-examination. 

CROSS-EXAMINATION 

Questions  by  the  Assistant  Defense  Counsel  [CPT  TOOMAN] : 

Q.  Good  morning,  Mr.  Johnson. 

A.  Good  morning. 


8465 


© 


o 


Q.  Mr.  Johnson,  I  want  to  start  just  by  talking  a  little  bit 
about  your  process  when  you're  doing  a  forensic  analysis.  When  you 
do  that  analysis  you're  looking  for  clues  and  leads,  correct? 

A.  Yes,  sir. 

Q.  And  ultimately,  after  your  analysis  is  over,  you're  going 
to  create  a  report? 

A.  Yes,  sir. 

Q.  And  anything  that's  important  you're  going  to  note  in  that 
report,  correct? 

A.  Yes,  sir. 

Q.  I  want  to  talk  about  the  chats  that  you  discussed  on  direct 
12  examination  along  with  —  between  PFC  Manning  and  "pressassociation" . 
A.  Okay,  sir. 

Q.  You  went  through  those  chats  line  by  line,  correct? 

A.  I  believe  so,  sir. 

Read  —  read  them  in  their  entirety? 

A.  Yes,  sir. 

You  were  looking  for  leads  and  clues  within  that  document? 
A.  Yes,  sir. 

Q.  You  would  agree  with  me  that  nowhere  in  that  document  is 
21  PFC  Manning  ever  asked  to  send  anything  to  "pressassociation"? 

I  don't  recall,  sir.  I  don't  believe  so. 

You  don't  recall  as  in  he  wasn't  asked  or  you're  not  sure? 


12 

examinat: 

13 

A. 

14 

Q. 

15 

A. 

16 

Q. 

17 

A. 

18 

Q. 

19 

A. 

20 

Q. 

21 

PFC  Mann 

22 

A. 

23 

Q. 
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1  A.  I'm  not  sure,  sir.  I  don't  recall  specifics. 

2  ADC [CPT  TOOMAN] :  Okay.  I'll  retrieve  Prosecution  Exhibit  123. 

3  Hand  this  to  the  witness.  I  know  it's  lengthy,  Mr.  Johnson,  but  I'll 

4  ask  you  to  look  through  there  —  look  through  the  entire  chat  and  let 

5  me  know  if  you  see  any  instance  where  "pressassociation"  asks  PFC 

6  Manning  to  send  them  something. 

7  [The  witness  did  as  directed  and  began  reading  through  the  document.] 

8  ADC [CPT  TOOMAN]:  And  we  would  ask  the  government  if  they  are 

9  willing  to  stipulate  to  this  to  speed  this  process  along  with  having 

10  Mr.  Johnson  having  to  read  through  the  entire  chat. 

11  ATC [CPT  MORROW]:  No,  Your  Honor. 

12  MJ:  All  right.  The  government's  not  willing. 

13  [The  witness  continued  to  read  through  the  document.] 

14  A.  No,  sir,  I  don't  see  anything  that  would  appear  to  be  a 

15  direct  request. 

16  Q.  Okay.  Thank  you.  You  would  also  agree  with  me,  now  that 

17  you've  reviewed  the  entire  document,  that  at  no  point  is  PFC  Manning 

18  asked  by  "pressassociation",  hey,  do  you  have  access  to  this  or  do 

19  you  have  access  to  that? 

20  A.  I  don't  see  any  direct  knowledge  of  that,  sir,  no. 

21  Q.  Okay.  So  they  never  ask  him,  hey.  Brad,  could  you  get  us 

22  this  thing? 

23  A.  No,  sir. 
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Q.  There's  no  discussion  in  that  chat  of  a  most  wanted  list, 
is  there? 

A.  No,  sir. 

Q.  There's  no  reference  to  that  at  all  either  by 
"pres sassociat ion"? 

A.  No,  sir,  I  don't  believe  so. 

Q.  And  my  client  never  references  a  most  wanted  list? 

A.  No,  sir. 

Q.  Now,  PFC  Manning  and  "pressassociation"  do  talk  about  a 
number  of  classified  documents  in  those  chats,  correct? 

A.  Yes,  sir. 

Q.  They  talk  about  the  Iraq  and  Afghanistan  databases? 

A.  The  CIDNE  databases,  sir?  Yes,  sir. 

Q.  Okay.  And  through  your  forensic  examination  you  determined 
that  PFC  Manning  gave  those  SIGACTS;  the  contents  of  those  databases, 
to  WikiLeaks  around  3  No  —  3  February,  is  that  correct? 

A.  Could  you  be  more  specific,  sir? 

Q.  Sure.  Over  the  course  of  your  forensic  examination  you  all 
were  able  to  determine  when  PFC  Manning  gave  certain  items  to 
WikiLeaks,  correct? 

A.  I  have  evidence  that  information  was  sent,  not  specific 
information . 


8468 


o 


9 


1  Q.  Okay.  Did  you  have  any  evidence  that  the  CIDNE  databases 

2  or  the  contents  of  the  CIDNE  databases  were  sent  from  PFC  Manning  to 

3  WikiLeaks? 

4  A.  I  don't  recall  —  can  you  be  more  specific  on  the  — 

5  specifically  what  you're  asking  for? 

6  Q.  Sure.  One  of  the  charges  against  my  client  is  that  he 

7  downloaded  the  SIGACTS  from  both  the  Iraq  and  the  Afghanistan  CIDNE 

8  databases  and  then  provided  those  documents  to  WikiLeaks. 

9  A.  Correct. 

10  Q.  Did  your  forensic  examination  uncover  any  evidence  of  PFC 

11  Manning  actually  getting  those  things? 

12  A.  I  don't  have  the  contents  of  information  to  verify  whether 

13  it  was  CIDNE  or  not. 

14  Q.  Okay.  Is  there  any  evidence  of  PFC  Manning  getting 

15  SIGACTS,  regardless  of  where  they  came  from? 

16  A.  The  same  thing,  sir,  I  don't  have  contents  just  to  say 

17  whether  it  was  a  SIGACT  or  any  —  anything  else. 

18  Q.  Okay.  Do  you  have  any  forensic  evidence  that  he  gave  a 

19  file  called  "Iraq  Events"  or  a  file  titled  similarly? 

20  A.  No,  sir. 

21  Q.  Okay.  Did  you  have  any  forensic  evidence  of  him  having 

22  sent  a  cable  having  to  do  with  Iceland  to  WikiLeaks? 

23  A.  No,  sir,  beyond  the  discussion  in  the  chat. 
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1  Q.  Only  the  discussion  in  the  chat,  okay.  And  what  about 

2  Guantanamo  Bay  detainee  assessment  briefs? 


3 

A. 

4 

Q. 

5 

SIGACTS, 

6 

A. 

7 

Q. 

8 

A. 

9 

Q. 

10 

MJ: 

11 

ATC 

12 

MJ: 

13 

ATC 

14 

MJ: 

15 

Q. 

16 

A. 

17 

sir. 

18 

Q. 

19 

A. 

20 

Q- 

21 

classif  ie 

22 

A. 

Yes,  sir. 


Yes  [speaking  to  the  Assistant  Trial  Counsel] ? 


What  classified  information  are  referenced  —  what 


I  don't  - 
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Q.  I  believe  you  testified  on  direct  that  there  was  a 
reference  to  Iraq  and  Afghanistan. 

A.  Yes,  sir. 

Q.  What  was  that  reference? 

A.  I'd  have  to  refer  to  specifics,  sir. 

Q.  Please  do. 

[The  witness  looked  through  the  document.] 

A.  Sir,  we  have  arrest  information  related  to  Tigris  or  Tiger- 
is,  that  would  be  in  that  area. 

Q.  Okay. 

A.  Specifically,  sir,  we  have  other  references  to  Afghanistan. 
I'm  not  sure  specifically  what  you're  looking  for. 

Q.  Okay.  So  there  are  no  references  to  the  SIGACTS  in  those 


chats? 

A.  There's  no  reference  to  that  term,  sir. 

Q.  Okay.  Is  there  any  reference  to  the  Farah  video  in  those 
chats? 


A.  I  don't  recall.  No,  sir,  I  don't  believe  so. 

Q.  Is  there  any  reference  to  the  Granahi  air  strike  in  that 

chats?  Those  are  the  same  thing,  but  two  different  names. 

A.  I  don't  recall  that  being  in  here,  sir.  I  can  review  it. 
Q.  Please  do. 

[The  witness  began  to  read  the  document.] 
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1 

MJ: 

Captain  Tooman,  is  this  going  to  have  a  point?  I 

can  read 

2 

the 

chats 

3 

ADC [CPT  TOOMAN] :  Yes,  ma'am,  I  guess  the  point  is  that 

they' re 

4 

not 

in  there,  and  we've  also  asked  Mr.  Johnson  what  the  dates  are  of 

5 

those  chats. 

6 

WIT: 

They  are  in  March  2010. 

7 

Q. 

But  specifically,  what's  the  range?  Is  the  range 

from  5 

8 

March  to 

18  March? 

9 

A. 

5  March  to  —  I  believe  we  have  18  March.  Yes,  sir. 

10 

ADC [CPT  TOOMAN]:  I'll  retrieve  that  exhibit  - 

11 

Q. 

And  there's  no  discussion  of  Farah  in  those  chats, 

,  correct 

12 

A. 

No,  sir. 

13 

A. 

No,  sir. 

14 

ADC [CPT  TOOMAN]:  I'll  retrieve  Prosecution  Exhibit  123. 

15 

Q. 

Now,  you  spoke  on  direct  about  volume  mounting  data. 

16 

correct? 

17 

A. 

Uh-huh.  Yes,  sir. 

18 

Q. 

And  that's  evidence  of  a  CD  being  burned? 

19 

A. 

CD,  other  removable,  some  media  of  some  sort. 

20 

Q. 

So  it  could  be  a  flash  drive? 

21 

A. 

It  could  be,  yes,  sir. 

22 

Q. 

A  SD  card? 

23 

A. 

Yes,  sir. 
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1  Q.  External  hard  drive? 

2  A.  Yes,  sir. 

3  Q.  In  some  fashion,  data  is  being  transferred  from  the 

4  Macintosh  to  another  medium? 

5  A.  Yes,  sir. 

6  ADC [CPT  TOOMAN] :  I'm  going  to  retrieve  Prosecution  Exhibit  127, 

7  please.  Permission  to  publish,  ma'am? 

8  MJ:  Go  ahead. 

9  Q.  Mr.  Johnson,  can  you  see  that  okay  [referring  to  the  image 
10  on  the  projection  screen] ? 


11 

A. 

Yes, 

sir . 

12 

Q. 

Okay. 

I'd  like  to  focus  your  attention  on  line 

49.  What 

13 

does  that 

line 

tell  you? 

14 

A. 

That 

would  indicate  that  a  file  potentially  named  Farah.zip 

15 

may  have 

come  from  a  volume  attached  to  his  machine  using 

the  name  of 

16 

100411  918  --  or,  excuse  me,  0198  —  9  —  0918. 

17 

Q. 

Okay. 

And  what  that  —  what  the  name  of  that  volume 

18 

suggests 

is  that  that  —  that  file,  Farah.zip,  was  put  on 

another 

19 

medium  on 

April 

11th,  2010,  correct? 

20 

A. 

April 

11th?  Yes,  sir. 

21 

Q. 

Okay, 

and  at  0918  in  the  morning? 

22 

A. 

Yes, 

sir. 

23 

Q. 

Approximately? 
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A.  Depending  on  the  timeframe. 

Q.  Now,  you're  not  able  to  tell  what  is  actually  in  that  file 
can  you? 

A.  No,  sir. 

Q.  You  weren't  able  to  recover  that? 

A.  No,  sir,  we  were  not. 

Q.  What  is  a  "zip  file",  Mr.  Johnson? 

A.  A  "zip"  is  an  archive,  compressed,  or  an  archiving 

function. 


Q.  Typically  why  would  one  use  that  sort  of  file? 

A.  To  have  additional  files  —  to  consolidate  one  file  into  - 
or  multiple  into  a  single  file  that  can  be  easily  moved  around, 
transferred,  stored. 

Q.  Okay.  And  you  would  agree  with  me,  I  think,  that  another 
use  of  a  zip  file  is  to  compress?  If  you  have  big  files,  you  can 
compress  them  into  one  using  the  zip  function,  correct? 

A.  Yes,  sir. 

Q.  Okay.  So  you  would  agree  with  me  that  it's  possible  that 
inside  that  file  are  documents  that  take  up  a  lot  of  space? 

A.  Yes,  sir. 

Q.  Or  files  that  take  up  a  lot  of  space? 

A.  Yes,  sir. 
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1  ADC [CPT  TOOMAN] :  Removing  Prosecution  Exhibit  127  from  the 

2  projector  and  returning  it  to  court  reporter.  I'd  like  to  retrieve 

3  Prosecution  Exhibit  41.  Permission  to  publish,  ma'am? 


4 

MJ: 

Go  ahead. 

5 

Q. 

You  spoke  about  this  email  on  direct.  This  is 

an  email 

6 

between 

my  client  and  a  person  named  Eric  Schmiedel,  correct 

7 

[referring  to  the  image  on  the  projection  screen] ? 

8 

A. 

Yes,  sir. 

9 

Q. 

Now,  within  this  video  there's  classified  information 

10 

that's  discussed? 

11 

A. 

I'm  sorry,  within  the  video? 

12 

Q. 

I'm  sorry.  Within  this  email? 

13 

A. 

I  couldn't  tell  you  whether  the  content  of  this 

email  is 

14 

classified. 

15 

Q. 

Okay.  Does  it  reference  what  you  understand  to 

be 

16 

classified  material? 

17 

A. 

State  Department  cables,  yes,  sir. 

18 

Q. 

Okay.  It  also  references  an  entire  database  of 

events  for 

19 

the  Iraq  war? 

20 

A. 

Yes,  sir. 

21 

Q. 

So  that  would  be  the  SIGACTS,  is  that  what  you 

understand 

22 

that  to 

be? 

23 

A. 

I  don't  know  what  those  incident  reports  are,  sir. 
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Q.  Okay.  It  also  talks  about  the  Apache  video,  is  that 
correct  —  collateral  murder? 

A.  Yes,  sir. 

Q.  Move  it  up  here  a  little  bit. 

A.  Sorry,  sir.  The  screen's  a  little  blurry. 

Q.  Okay. 

A.  Yes,  sir.  Down  in  Section  3. 

Q.  Down  in  Section  3  there's  discussion  of  the  Apache  video? 

A.  Yes,  sir  --well,  collateral  murder. 

Q.  Collateral  murder? 

A.  Yes,  sir. 

Q.  Do  you  understand  that  those  videos  —  do  you  understand 
those  videos  to  be  the  same  thing? 

A.  Yes,  sir. 

ADC [CPT  TOOMAN] :  I've  removed  the  email  from  the  overhead. 

Q.  Mr.  Johnson,  you'd  agree  with  me  there's  no  other  documents 
or  videos  referenced  in  that  email,  correct? 

A.  I  don't  recall  seeing  anything  else  in  there,  sir. 

ADC [CPT  TOOMAN]:  Okay.  I'm  going  to  hand  this  to  the  witness 
[retrieving  Prosecution  Exhibit  41  from  the  court  reporter  and 
handing  it  to  the  witness] . 

Q.  Mr.  Johnson,  is  there  any  reference  to  a  Farah  video  in 
that  email? 
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A.  No,  sir  [looking  through  the  document] . 

Q.  What  are  the  dates  of  that  email  chain? 

A.  Can  you  be  more  specific,  sir? 

Q.  Sure.  When  —  my  understanding  of  that  document  is  it's  a 
chain  of  emails  — 

A.  Yes,  sir. 

Q.  —  between  PFC  Manning  and  Eric  Schmiedel.  When  was  the 
first  email  sent? 

A.  [Looking  through  the  document]  May  19th. 

Q.  And  when  was  the  last  email  sent  —  the  most  recent  one? 

A.  May  20th. 

ADC [CPT  TOOMAN] :  Thank  you,  Mr.  Johnson.  If  I  could  retrieve 
that  from  you  [retrieving  the  document  from  the  witness  and  handing 
it  to  the  court  reporter] . 

Q.  Mr.  Johnson,  you  spoke  about  your  examination  of  the 
unallocated  clusters,  correct? 

A.  Yes,  sir. 

Q.  And  what  we  understand  the  unallocated  clusters  to  be  are 
basically  that's  where  —  when  you  delete  something,  that's  where  it 
goes? 

A.  Where  it  would  remain,  sir.  Yes,  sir. 

Q.  And  it  would  remain  there  until  it  was  overwritten, 
correct? 
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1 

A. 

That's  correct. 

2 

Q. 

And  if  it's  overwritten,  then  it's  pretty  much  gone 

3 

forever? 

4 

A. 

Not  pretty  much,  sir,  it  is  gone. 

5 

Q. 

It  is  gone.  Okay.  Now,  within  the  unallocated  clusters, 

6 

you  i 

can' t 

associate  a  date  —  a  date  with  something,  correct? 

7 

A. 

Not  directly,  sir,  no. 

8 

Q. 

So  you  don't  know  when  the  file  was  deleted? 

9 

A. 

No,  sir. 

10 

Q. 

Can't  associate  a  time  either? 

11 

A. 

No,  sir. 

12 

Q. 

All  you  know  is  that  this  file  is  now  in  the  unallocated 

13 

clusters? 

14 

A. 

The  contents  are,  yes,  sir. 

15 

Q. 

Say  again. 

16 

A. 

This  content.  It  may  be  a  fragment  of  a  file. 

17 

Q- 

Okay.  So  it  could  be  a  partial  file? 

18 

A. 

Correct . 

19 

Q. 

So,  for  example,  if  it  were  a  picture,  you  might  only  see 

20 

half 

a  picture? 

21 

A. 

Correct . 

22 

Q. 

Now,  when  you  were  searching  the  unallocated  clusters,  you 

23 

were 

again  searching  for  any  sort  of  clues,  correct? 
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A.  Yes,  sir. 

Q.  And  one  of  the  things  you  were  searching  for  were  any 
references  to  WikiLeaks? 

A.  Sure. 

Q.  Because  WikiLeaks  — 

A.  Yes. 

Q.  —  was  implicated  in  this  investigation,  you  wanted  to  find 
every  instance  where  WikiLeaks  was  talked  about? 

A.  Sure. 

Q.  Okay.  You  found  several,  didn't  you? 

A.  Yes,  sir. 

Q.  You  found  over  a  hundred  instances  of  the  WikiLeaks  page  in 
the  unallocated  clusters? 

A.  I'd  --  I'd  have  to  refer  to  my  report.  It  sounds 
reasonable. 

Q.  Okay.  You  found  some  JPEGs;  a  JPEG  being  a  picture  file? 

A.  Yes,  sir  —  of  the  WikiLeaks  page,  yes,  sir. 

Q.  Okay.  You  didn't  find  any  evidence  of  what's  known  as  a 
WikiLeaks  most  wanted  list  in  the  unallocated  clusters,  did  you? 

A.  No,  sir. 

Q.  And  you  didn't  find  that  in  the  allocated  clusters  either? 

A.  No,  sir. 
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Q. 

So  there  —  on  PFC  Manning's  computer,  whether  in  the 

allocated 

space  or  in  the  unallocated  space,  no  reference  to  the 

WikiLeaks 

most  wanted  list? 

A. 

No,  sir. 

Q. 

That's  something  you  certainly  would  have  noted  had  you 

found  it? 


A. 

Yes,  sir. 

Q. 

You  also  were  able  to  look  at  or  recover  other  websites 

that  PFC  Manning  would  have  visited? 


A. 

Yes,  sir. 

Q. 

None  of  those  websites  were  associated  with  terrorism? 

A. 

No,  sir. 

Q. 

They  weren't  associated  with  a  hatred  of  America  or  anti- 

American  beliefs? 


A. 

No,  sir. 

Q. 

Now,  staying  in  the  unallocated  clusters  you  found  several 

references  to  the  WikiLeaks  submission  page,  correct? 


A. 

Yes,  sir. 

Q. 

And,  again,  you  can't  associate  a  date  or  a  time  with  those 

pages,  is 

that  correct? 

A. 

I  cannot  determine  the  dates  and  times  of  the  pages  we  have 

fragments, 

,  however,  there  do  appear  to  be  dates  and  times  in  the 

vicinity  of  those  that  appear  to  be  possibly  content  on  that  page 
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Q.  Sure.  So  you  don't  know  when  that  page  ended  up  in  the 
unallocated  clusters,  but  when  you  look  at  the  page  itself  there  are 
some  clues  — 

A.  There  are  clues. 

Q.  --  to  the  date,  correct? 

A.  Yes,  sir. 

Q.  And  on  the  submission  page  you  see  what  appears  to  be 
submissions  by  PFC  Manning  to  the  WikiLeaks  web  page  on  a  couple 
different  dates,  correct? 

A.  I  believe  so,  sir.  I'd  have  to  verify  that. 

Q.  Okay.  One  of  those  days  was  the  11th  of  April,  2010? 

A.  I  don't  remember  specific  dates,  sir.  It  sounds 
reasonable. 

Q.  Is  that  about  what  you  remember? 

A.  It  was  April,  sir  —  again,  that  sounds  right,  but  I  don't 

remember  specifically.  I  need  to  refer. 

ADC[CPT  TOOMAN] :  Okay.  Just  a  moment,  please. 

[Pause] 

ADC [CPT  TOOMAN]:  Your  Honor,  Mr.  Johnson's  report  —  his  report 
of  PFC  Manning's  Macintosh  computer  is  a  classified  document.  It 
hasn't  been  marked.  We  have  it  here.  If  we  could  take  a  brief 
recess,  we  can  get  that  document  and  have  it  marked  so  Mr.  Johnson 
can  refer  to  it. 
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1  MJ:  In  the  panel  box? 

2  ADC [CPT  TOOMAN] :  Yes,  ma'am.  Of  course. 

3  MJ:  All  right.  How  long  do  you  need? 

4  ADC [CPT  TOOMAN]:  Five  minutes. 

5  MJ:  All  right.  Why  don't  we  make  it  the  regular  ten.  We'll 

6  reconvene  at  11:15.  Court  is  in  recess. 

7  [The  court-martial  recessed  at  1110,  12  June  2013.] 

8  [The  court-martial  was  called  to  order  at  1122,  12  June  2013.] 

9  MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

10  parties  present  when  the  Court  last  recessed  are  again  present  in 

11  court.  The  witness  is  in  the  panel  box.  Captain  Tooman,  are  you 

12  ready? 

13  ADC [CPT  TOOMAN]:  Yes,  ma'am,  thank  you.  For  the  record,  Mr. 

14  Johnson  has  Defense  Appellate  —  or  Defense  Exhibit  Juliette  for 

15  Identification. 

16  MJ:  I  thought  you  were  getting  a  different  exhibit.  Okay. 

17  Defense  Exhibit  Juliette  is  what  you  were  referencing? 

18  ADC [CPT  TOOMAN]:  Yes,  ma'am. 

19  MJ:  Okay. 

20  ADC [CPT  TOOMAN]:  Yes,  ma'am.  We  —  we  had  it  marked. 

21  MJ:  Okay. 

22  Q.  Mr.  Johnson,  if  you  could  please  take  a  look  at  that 

23  exhibit  and  just  tell  us  what  it  is. 
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1  A.  This  is  a  copy  of  my  forensic  report  of  his  Mac  computer. 

2  MJ:  Okay.  Now  you're  sitting  way  far  away  from  me  and  I'm 

3  going  to  have  a  real  difficult  time  hearing  you. 

4  WIT:  Sorry,  Your  Honor. 

5  MJ:  Can  you  say  what  that  was  again? 

6  WIT:  This  is  a  copy  of  my  forensic  report  from  his  Mac  computer. 

7  MJ:  Thank  you. 

8  Q.  How  do  you  know  that  that's  your  forensic  report? 

9  A.  It  is  on  our  structure,  it  has  my  signature  copy  attached 

10  to  it  [looking  through  the  document] .  It  appears  to  be  complete. 

11  Q.  How  did  you  go  about  creating  that  report,  Mr.  Johnson? 

12  A.  I'm  sorry,  sir.  Could  you  be  more  specific? 

13  Q.  Sure.  How  did  you  --  what  was  the  process  you  followed 

14  when  you  created  that  report? 

15  A.  It  was  derived  during  the  course  of  my  investigation.  It 

16  includes  findings  and  is  a  —  ultimately  a  word  document  converted 

17  into  a  WPDF  format. 

18  Q.  Okay.  Now,  Agent  Johnson,  does  that  document  —  I  asked 

19  you  a  question  before  we  recessed  about  submissions  to  WikiLeaks. 

20  A.  Yes,  sir. 

21  Q.  And  would  you  agree  with  me  that  there  was  evidence  in  the 

22  unallocated  clusters  of  a  submission  to  WikiLeaks  on  11  April  2010? 

23  A.  I'll  refer  to  the  report,  sir,  for  the  date. 
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Q.  Okay. 

A.  [Looking  through  the  document]  That  would  be  April  10th, 
2010,  sir. 

Q.  Okay,  so  a  submission  —  what  appears  to  be  a  submission  to 
WikiLeaks  on  April  10th? 

A.  Yes,  sir. 

Q.  Are  there  any  other  days  where  there  appear  to  be 
submissions  to  WikiLeaks  in  April  2010? 

A.  April  11th 
Q.  Okay. 

A.  —  and  April  12th,  sir. 

Q.  Okay.  Are  there  any  other  --  did  you  recover  any  other 
evidence  in  the  unallocated  clusters  of  WikiLeaks  submission  pages? 

A.  I  don't  believe  so,  sir,  no. 

ADC [CPT  TOOMAN] :  Okay.  Mr.  Johnson,  you  can  head  back  to  the 
witness  stand.  I've  retrieved  the  exhibit. 

[The  witness  did  as  directed  and  resumed  his  seat  at  the  witness 
stand. ] 

MJ:  That's  Defense  Exhibit  Juliette  for  Identification,  right? 

ADC [CPT  TOOMAN]:  Yes.  And  actually.  Your  Honor,  we  would  move  - 
-  we  would  offer  this  as  Defense  Exhibit  Juliette  in  the  record. 

ATC [CPT  MORROW]:  The  report.  Your  Honor,  or  the  report. 

Obj  ection . 
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MJ:  Whatever  it  is  —  yes  —  what's  your  objection? 

ATC [CPT  MORROW]:  Hearsay. 

ADC [CPT  TOOMAN] :  These  are  the  statements  of  the  witness;  he 
authenticated  it  --  his  report. 

ATC [CPT  MORROW]:  For  the  out  of  court  statements  offered  to 
prove  truth  of  the  matter  asserted. 

MJ:  All  right.  Sustained. 

[Pause] 

ADC [CPT  TOOMAN]:  Your  Honor,  we  would  offer  it  under  803(6); 
business  records  exception  —  created  in  the  ordinary  course  of  Mr. 
Johnson's  business. 

MJ:  Government? 

ATC [CPT  MORROW]:  One  moment,  Your  Honor. 

[Pause] 

ATC [CPT  MORROW]:  Your  Honor,  I  don't  believe  the  defense  has 
laid  a  foundation  for  the  business  record  exception  at  this  point. 

MJ:  Well,  that's  true.  Want  to  continue  on  with  this  witness? 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

[Pause] 

Q.  Mr.  Johnson,  can  you  explain  for  the  Court  what  that 
document  was  and  why  it  was  created? 

A.  It's  the  forensic  report  that  I  developed  during  the  course 
of  my  investigation. 
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Q.  How  many  of  those  would  you  say  you've  created  in  your 
career? 

A.  I  do  not  know,  sir.  A  number. 

Q.  Would  it  be  a  lot? 

A.  A  fair  number,  sir. 

Q.  Hundreds? 

A.  Probably  not,  sir. 

Q.  Is  that  something  that  you  create  every  time  you  do  a 
forensic  examination  of  a  computer  or  some  piece  of  digital  media? 

A.  Not  necessarily,  sir,  no. 

Q.  Okay.  Did  you  do  that  as  part  of  your  duties  with  respect 
to  this  investigation? 

A.  Yes,  sir. 

ADC [CPT  TOOMAN] :  One  moment,  please. 

[Pause] 

Q.  Mr.  Johnson,  were  you  required  to  make  that  report  as  part 
of  your  —  as  part  of  this  investigation? 

A.  Yes,  sir. 

Q.  What  did  you  do  with  it  once  you  created  it?  Where  did  you 
store  it? 

A.  Could  you  be  more  specific,  sir? 

Q.  How  did  you  store  that  document  once  you  created  it? 
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A.  It's  a  digital  document  stored  on  our  closed  and  classified 
systems . 

Q.  Is  that  what  you  all  do  with  every  forensic  examination 
report  that  you  create? 

A.  Yes,  they  would  be  on  appropriate  systems. 

ADC [CPT  TOOMAN] :  Your  Honor,  we  would  re-offer  Defense  Exhibit 
Juliette  under  the  business  records  exception. 

MJ:  May  I  see  Defense  Exhibit  Juliette? 

ADC [CPT  TOOMAN]:  Yes,  ma'am  [handing  the  document  to  the 
Military  Judge] . 

[Pause] 

MJ:  Is  this  report  exclusively  your  examination  of  that 

computer?  Did  you  talk  to  anybody  else?  Is  there  —  are  there  any 
statements  from  other  people  in  this  report? 

WIT:  Yes,  sir  —  or  yes,  ma'am. 

MJ:  There  are  statements  from  other  people  in  this  report. 

WIT:  Statements,  ma'am? 

MJ:  Did  you  interview  anybody? 

WIT:  No,  sir  --  no,  ma'am  —  pardon  me. 

MJ:  Government? 

TC [MAJ  FEIN]:  Ma'am,  if  I  may. 

MJ:  Uh-huh. 
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1  TC[MAJ  FEIN]:  A  few  issues.  Your  Honor.  First,  under  803(6), 

2  this  document  clearly  was  created  specifically  for  this  court- 

3  martial,  not  necessarily  in  the  regularly  conducted  business  of  Mr. 

4  Johnson.  It's  also  cumulative  with  his  testimony.  If  the  Defense 

5  Counsel  wants  to  refresh  his  recollection  or  use  this  as  past 

6  recollection  recorded,  the  witness  can  testify  off  of  the  document, 

7  but  not  in  lieu  of  or  the  document  substituting  for  the  actual  in- 

8  court  testimony  and  then  --  while  they're  here.  So  it's  not  only 

9  hearsay,  not  falling  under  803(6),  but  it's  also  cumulative  to  his 

10  testimony  of  an  in-court  witness. 

11  MJ:  All  right.  Well,  the  cumulative,  I'm  going  to  overrule. 

12  The  M.R.E.  803(6);  is  this  the  forensic  laboratory  report? 

13  WIT:  Yes,  ma'am,  you  could  treat  it  as  that,  yes,  sir  —  yes, 

14  ma'am. 

15  MJ:  Government? 

16  TC [MAJ  FEIN]:  Yes,  ma'am.  Although  it  is  a  forensic  laboratory 

17  report,  again,  it  was  made  solely  for  the  purposes  of  this 

18  litigation. 

19  MJ:  I'm  going  to  overrule  the  objection.  It's  made  as  part  of 

20  the  regular  course  --  regularly  conducted  business  activity  of  this 

21  entity.  Defense  Exhibit  Juliette's  admitted. 

22  [Pause] 
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1  Q.  Now,  Mr.  Johnson,  were  you  able  to  tell  —  again,  we're 

2  still  talking  about  the  WikiLeaks  submissions  from  the  unallocated 

3  clusters;  were  you  able  to  tell  if  those  submissions  were  successful 

4  —  was  the  submission  completed? 

5  A.  There's  an  indication  of  the  words  "upload  complete".  I 

6  would  interpret  as  a  success. 

7  Q.  Okay.  Was  there  any  evidence  that  WikiLeaks  actually  got 

8  it? 

9  A.  I  couldn't  say,  sir.  That  would  not  be  available  on  this 

10  computer. 

11  Q.  Okay.  In  the  course  of  your  investigation  did  you  uncover 

12  any  evidence  of  WikiLeaks  releasing  anything  related  to  Farah? 

13  A.  I  did  not.  No. 

14  Q.  Now,  you  also  did  a  search  for  —  on  the  computer  for 

15  Farah,  correct? 

16  A.  Yes,  sir,  I  believe  so. 

17  Q.  And  you  found  several  files,  again,  in  the  unallocated 

18  clusters,  and  they  were  in  the  location 

19  "users /BManning/deskt op/ Farah/ Farah"? 

20  A.  That  was  references  to  it.  I  don't  believe  those  were 

21  actual  files  that  we  found. 

22  Q.  Okay.  What  was  —  what  was  in  there? 
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1  A.  I  don't  recall,  sir.  I  don't  recall  the  specific  names, 

2  sir. 

3  ADC [CPT  TOOMAN]  Okay.  I'm  going  to  hand  the  witness  Defense 

4  Exhibit  Juliette.  If  you  would  please  move  to  the  panel  box. 

5  [The  witness  did  as  directed.] 

6  TC [MAJ  FEIN]:  Your  Honor,  objection.  If  it's  already  admitted 

7  now  this  would  be  cumulative  to  the  actual  report. 

8  MJ:  Major  Fein,  the  government's  been  doing  that  throughout  the 

9  trial. 

10  TC [MAJ  FEIN]:  Yes,  ma'am. 

11  ADC [CPT  TOOMAN] :  I'm  handing  the  exhibit  to  the  witness  [handing 

12  the  exhibit  to  the  witness  in  the  panel  box] . 

13  Q.  I  believe  this  would  be  on  the  same  page  you  were  just 

14  looking  at,  Mr.  Johnson. 

15  A.  Thank  you,  sir.  Which  I  have  to  find  again. 

16  Q.  I  believe  it's  Page  67  or  66. 

17  A.  Thank  you,  sir. 

18  [The  witness  looked  through  the  document.] 

19  A.  Okay.  Can  you  repeat  your  question,  sir? 

20  Q.  Sure.  You  would  agree  with  me  that  you  found  references  to 

21  Farah  in  a  location  that  was  users/BManning/desktop/Farah/Farah? 

22  A.  The  /Farah,  sir,  the  rest  of  that  is  the  file  name  — 

23  users/BManning/desktop/Farah. 


8490 


c 


O 


1  Q. 

Okay.  Just  one  Farah  — 

2  A. 

Correct . 

3  Q. 

—  in  the  location? 

4  A. 

That's  correct,  sir. 

5  Q. 

And  in  that  file  you  found  seven  files  titled  "Farah", 

6  correct? 


7  A. 

Yes,  sir,  I  believe  so  [looking  through  the  document] . 

8  Q. 

Okay,  and  they  were  titled  Farah . part-1,  and  then  they  all 

9  had  that 

—  that  name,  correct,  with  the  different  number  at  the  end? 

10  A. 

That's  correct,  sir. 

11  Q. 

So  Farah. part-1  through  Farah. part-7? 

12  A. 

Yes,  with  . RAR  on  the  end  of  that,  sir. 

13  Q. 

.RAR.  Okay.  And  you  don't  know  when  those  documents 

14  arrived  in  that  location,  do  you? 


15  A. 

No,  sir. 

16  Q. 

But  you  could  say  that  those  documents  got  there  after  31 

17  January, 

correct? 

18  A. 

In  reference  to  these  documents,  yes,  sir. 

19  Q. 

Well,  the  unallocated  space  was  wiped  on  31  January, 

20  correct? 


21  A. 

Yes,  sir. 

22  Q. 

So  anything  that  is  in  the  unallocated  clusters  must  have 

23  arrived  there  after  31  January,  right? 
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A.  Yes,  sir. 

Q.  Okay.  Now,  you  also  found  several  documents  related  to 
Farah  that  in  your  examination  were  identical  to  files  found  on 
CENTCOM  servers,  correct? 

A.  Could  you  be  more  specific,  sir? 

Q.  Sure.  You  found  54  pictures  that  were  --  and  before  you 
refer  to  the  document  — 

A.  Yes,  sir. 

Q.  —  if  you  can  answer  from  your  memory,  and  if  not,  then 
refer  to  the  document.  Do  you  recall  finding  54  pictures  in  the 
unallocated  space  that  had  identical  hash  values  as  pictures  found  on 
the  CENTCOM  server? 

A.  Yes,  sir,  I  believe  so. 

Q.  You  also  found  one  video  that  was  identical  hash  value  to  a 
video  found  on  the  Farah  server,  correct? 

A.  I  don't  believe  so.  I  don't  recall  specifically,  sir. 

Q.  Okay.  Well,  please  look  and  verify  that. 

[The  witness  looked  through  the  document.] 

A.  Yes,  sir. 

Q.  Okay,  and  you  - 

MJ:  What  was  the  question  again  —  that  last  question? 
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Q.  Yes,  ma'am.  Mr.  Johnson,  in  the  unallocated  clusters  you 
found  a  video  that  had  the  same  hash  value  as  a  video  that  you  found 
on  the  CENTCOM  server,  correct? 

A.  They  were  contained  within  a  recovered  RAR  file,  yes,  sir. 

Q.  And  that  recovered  RAR  file  was  associated  with  Farah, 
correct? 

A.  Yes,  sir. 

Q.  Okay.  So  you  would  —  you  would  assume  that  that  video 
file  has  something  to  do  with  Farah? 

A.  Yes,  sir. 

Q.  Particularly  since  the  hash  value  of  the  video  on  PFC 
Manning's  computer  matched  the  hash  value  of  a  video  that  you  found 
within  the  Farah  folders  on  the  CENTCOM  server? 

A.  Agent  Shaver  found  all  the  files  on  CENTCOM.  We  have 
compared  them. 

Q.  Okay.  And  you  didn't  make  note  of  the  actual  file  type, 
did  you? 

A.  File  type?  No,  sir. 

Q.  Just  it's  a  video  file? 

A.  A  video  file,  yes,  sir. 

Q.  And  you'd  agree  with  me  that  there  are  multiple  types  of 
formats  that  a  video  file  could  be  in,  correct? 

A.  Yes,  sir. 
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Q.  There's  WMV;  that's  a  type  of  movie  file? 

A.  Yes,  sir. 

Q.  There's  also  —  what  are  some  other  ones? 

A.  MP4,  AVI  —  there's  a  large  number,  sir. 

Q.  Okay,  and  you  all  didn't  note  what  type  of  file  it  was? 

A.  No,  sir,  I  did  not. 

Q.  And  you  didn't  make  a  note  of  the  file  name  on  the  Farah 
server  that  the  file  on  PFC  Manning's  computer  matched,  correct? 

A.  No,  sir,  I  did  not. 

Q.  Okay,  just  one  of  the  videos  on  CENTCOM  server  matched  a 
video  in  PFC  Manning's  unallocated  clusters? 

A.  Yes,  sir. 

Q.  Okay,  so  we  don't  know  what  video  that  is? 

A.  No,  sir,  I  do  not  recall. 

Q.  But  you  would  agree  with  me  that  that  video  must  have 
arrived  in  the  unallocated  clusters  after  31  January? 

A.  Yes,  the  RAR  file  would  have  been  there  after  31  January. 

Q.  And  you  didn't  find  any  references  to  the  Farah  video  in 
the  allocated  clusters? 

A.  No,  sir,  I  don't  believe  so. 

ADC [CPT  TOOMAN] :  Okay.  I'm  going  to  retrieve  Prosecution  —  or 
Defense  Exhibit  Juliette.  And,  Mr.  Johnson,  can  you  retake  the 
witness  chair. 


8494 


© 


o 


1  [The  witness  did  as  directed  and  resumed  his  seat  at  the  witness 

2  stand.] 

3  Q.  Mr.  Johnson,  throughout  your  investigation  you  talked  about 

4  you  looked  at  everything  on  PFC  Manning's  computer,  right? 

5  A.  Define  "everything",  sir. 

6  Q.  You  looked  at  every  bit  and  byte  on  that  computer,  and  you 

7  looked  at  it  for  evidence? 


8 

A. 

I '  ve 

looked  at  the  contents,  sir.  I  can't  say  we've 

9 

examined 

every 

bit  and  byte. 

10 

Q. 

Okay 

Well,  you  had  —  you  had  a  forensic  image  of  it. 

11 

which  is 

an  exact  copy,  correct? 

12 

A. 

Yes, 

sir. 

13 

Q. 

And 

within  that  exact  copy  you  conducted  searches? 

14 

A. 

Yes, 

sir. 

15 

Q. 

And 

those  searches  looked  at  the  entire  computer,  correct? 

16 

A. 

Yes, 

sir. 

17 

Q. 

The 

allocated  space  and  the  unallocated  space? 

18 

A. 

Yes, 

sir. 

19 

Q. 

That 

included  chats,  which  we've  talked  about,  correct? 

20 

A. 

Yes, 

sir. 

21 

Q. 

That 

included  emails? 

22 

A. 

Yes, 

sir. 
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1  Q.  You  found  no  references  on  PFC  Manning's  personal  Macintosh 

2  to  Jason  Katz,  did  you? 


3 

A. 

No,  sir,  I 

did  not  identify  Katz. 

4 

Q. 

There  were 

no  emails  between  PFC  Manning  and  an  individual 

5 

—  and 

an  individual 

named  Jason  Katz? 

6 

A. 

No,  sir,  I 

don't  believe  so. 

7 

Q. 

No  chats? 

8 

A. 

No,  sir. 

9 

Q. 

No  websites  that  you  associated  with  Jason  Katz? 

10 

A. 

No,  sir. 

11 

Q. 

No  connection  whatsoever  between  PFC  Manning  and  Jason 

12 

Katz? 

13 

A. 

Not  that  I 

identified,  sir. 

14 

Q. 

Okay.  You 

also  didn't  find  any  financial  transactions  that 

15 

would  have  suggested 

to  you  that  PFC  Manning  was  paid  for  anything  he 

16 

gave  to 

WikiLeaks? 

17 

A. 

No,  sir. 

18 

Q. 

There  were 

no  large  sums  of  money  that  were  transferred  to 

19 

PFC  Manning? 

20 

A. 

No,  sir. 

21 

Q. 

You  spoke  i 

on  direct  about  the  global  address  list,  correct? 

22 

A. 

Yes,  sir. 

8496 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


9 


ADC [CPT  TOOMAN] :  I  want  to  retrieve  Prosecution  Exhibit  122, 
please  [retrieving  the  document  from  the  court  reporter].  Ma'am, 
permission  to  publish. 

MJ:  Go  ahead. 

Q.  Now,  Mr.  Johnson,  you  testified  that  this  was  what  you 
would  call  a  tasker,  correct  [referring  to  the  image  on  the 
projection  screen] ? 

A.  Yes,  sir. 

Q.  Could  you  tell  what  format  this  document  was  in? 

A.  It's  raw  text,  sir. 

Q.  A  text  file.  So  that  would  have  been  something  —  could 
you  tell  how  it  got  on  the  computer? 

A.  No,  sir. 

Q.  But  this  is  the  sort  of  thing  —  so  there's  no  evidence 
that  would  suggest  someone  sent  this  to  PFC  Manning? 

A.  I  cannot  determine  that,  sir. 

Q.  Okay.  So  you  would  agree  with  me  that  it's  quite  possible 

that  this  is  a  document  PFC  Manning  created  himself? 

A.  It's  possible,  sir. 

Q.  Okay.  And  are  you  familiar  with  the  format  of  that 
document? 

A.  Can  you  be  more  specific,  sir? 
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Q.  Does  that  —  does  that  look  like  a  military  sort  of  format 
for  a  document? 

A.  It  looks  to  me  to  be  similar.  Yes,  I'll  say  similar. 

Q.  Okay.  Now,  you  would  agree  with  me  that  the  objective 

portion  of  this  is  blank? 

A.  Yes,  sir. 

Q.  It  doesn't  say  "send  to  WikiLeaks"? 

A.  No,  sir. 

Q.  It  doesn't  say  anything? 

A.  Doesn't  say  anything. 

ADC [CPT  TOOMAN] :  Returning  Prosecution  Exhibit  122  [retrieving 
the  document  from  the  witness  and  returning  it  to  the  court 
reporter] . 

Q.  Now,  we  talked  about  the  WikiLeaks  submission  pages  and  the 
only  WikiLeaks  submission  pages  you  found  had  to  do  with  Farah, 
correct? 

A.  With  the  Farah. RAR  files,  yes,  sir. 

Q.  Right.  There  were  no  WikiLeaks  submission  pages  that 
suggested  that  PFC  Manning  sent  emails  to  WikiLeaks? 

A.  No,  sir. 

Q.  And,  in  fact,  you  found  the  global  address  list  or  what 
appeared  to  be  the  global  address  list  in  the  unallocated  clusters? 

A.  Yes,  sir. 
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1  Q.  And  it  was  —  that  means  it  was  deleted? 

2  A.  Yes,  sir,  deleted  content.  It's  there  somehow. 

3  Q.  Okay.  It  had  to  have  been  —  is  it  possible  to  put 

4  something  on  unallocated  clusters? 

5  A.  Possible,  but  it  would  require  extraordinary  work. 

6  Q.  Okay.  In  all  likelihood  it  was  something  that  was  on  the 

7  computer  in  the  allocated  space  and  then  the  user  pushed  delete? 

8  A.  Yes,  sir. 

9  Q.  Okay.  Now,  you're  a  —  you're  a  computer  expert,  do  you 

10  ever  challenge  yourself  with  things  related  to  computers  just  to  see 

11  if  you  can  do  it? 

12  A.  Can  you  be  specific? 

13  Q.  Yeah.  Have  you  ever  just  been  at  a  computer  and  thought  I 

14  wonder  if  I  could  do  this,  and  then  you  tried  to  do  it? 

15  A.  Yes,  sir. 

16  Q.  Okay.  Are  you  aware  that  at  the  time  the  global  address 

17  list  was  downloaded  my  client  was  no  longer  working  as  an 

18  intelligence  analyst,  he  was  working  in  a  supply  room? 

19  A.  I'm  not  familiar  with  the  timeframe  on  that,  sir. 

20  Q.  Okay.  Do  you  think  it's  possible  that  if  PFC  Manning  were 

21  in  a  supply  room  he  might  — 

22  ATC [CPT  MORROW]:  Objection,  Your  Honor. 
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MJ:  Overruled.  I  mean  —  I'm  sorry,  sustained.  No.  That's 

speculation . 

Q.  I'm  going  to  talk  -=  continue  talking  a  little  bit  about 

the  GAL.  You  said  it  appeared  to  be  the  global  address  list, 
correct? 

A.  Yes,  sir. 

Q.  You  would  agree  with  me  that  there  is  someone  who  controls 
the  global  address  list? 

A.  Can  you  specify,  sir? 

Q.  Sure.  There  would  be  someone  within  DoD  who  could  tell  you 
exactly  who  was  on  the  global  address  list,  correct? 

A.  At  some  particular  point  in  time,  yes,  sir. 

Q.  Sure.  So  you  could  go  to  someone  and  you  could  say,  hey, 
as  of  June  11th,  what  is  the  global  address  list  —  who's  office? 

A.  I  don't  know  if  they  could  give  you  a  specific  point  in 
time,  but  yes. 

Q.  Okay.  Someone  could  print  it  out  and  say  here  are  the 
names  that  are  part  of  the  global  address  list? 

A.  Yes,  sir. 

Q.  Okay.  Did  you  all  do  that  as  part  of  your  investigation; 
ask  someone  for  the  actual  global  address  list? 

A.  I  do  not,  sir.  No,  sir.  That  would  be  outside  the  scope 
of  forensics. 
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Q.  Okay.  So  you  all  didn't  compare  the  global  address  list 
that  you  found  or  what  appeared  to  be  a  global  address  list  in  the 
unallocated  space,  you  never  compared  that  to  an  actual  global 
address  list? 

A.  I  do  not  --  no,  sir. 

Q.  Okay.  Mr.  Johnson,  would  you  agree  with  me  that  it's  — 
that  Iraq  is  a  very  challenging  environment  for  electronics? 

A.  Yes,  sir. 

Q.  It's  very  hot? 

A.  Yes,  sir. 

Q.  Very  dusty? 

A.  Yes,  sir. 

Q.  Sandy? 

A.  Yes,  sir. 

Q.  It's  difficult  for  a  computer? 

A.  Yes,  sir. 

Q.  So  when  one's  having  computer  problems  something  that  they 

can  do  to  alleviate  those  problems  is  to  wipe  the  machine,  correct, 
just  start  over? 

A.  Ah,  can  you  be  more  specific,  sir? 

Q.  Sure.  If  you're  having  performance  problems  with  your 
computer,  one  of  the  things  that  you  could  do  would  be  I'm  just  going 
to  wipe  this,  I'm  going  to  start  over? 
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1  A.  Sure.  But  that  would  not  have  anything  to  do  with  physical 

2  environment. 

3  Q.  Okay.  But  it  would  —  it  could  correct  some  of  the 

4  problems  that  your  computer  was  having? 

5  A.  Possibly,  sir. 

6  Q.  Okay.  And  there  are  a  lot  of  reasons  why  people  wipe  their 

7  machines,  correct? 

8  A.  Yes,  sir. 

9  Q.  You  testified  that  PFC  Manning  reinstalled  his  operating 

10  system  on  25  January  2010? 

11  A.  Yes,  sir. 

12  Q.  He  wiped  the  unallocated  space  or  cleaned  the  unallocated 

13  space  on  31  January  2010? 

14  A.  Yes,  sir. 

15  Q.  Now,  PFC  Manning  is  charged  with  giving  the  Apache  air 

16  strike  video  to  WikiLeaks,  and  he's  charged  with  having  done  that 

17  between  15  February  and  April  5th,  2010.  Is  there  any  evidence  of 

18  PFC  Manning  wiping  his  computer  in  that  time? 

19  A.  I  don't  recall,  sir.  I  don't  —  don't  believe  so. 

20  Q.  PFC  Manning  is  charged  with  giving  SIGACTS  to  WikiLeaks. 

21  Is  there  any  evidence  that  he  wiped  his  machine  in  February  of  2010? 

22  A.  Again,  sir,  I  don't  recall  a  specific  date,  but  I  don't 

23  believe  there  was  anything,  no. 
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Q.  Okay.  He  didn't  wipe  his  machine  in  April  2010? 

A.  I  don't  recall.  I'd  need  to  refer  to  the  log  file,  sir, 
but  I  don't  recall  being  there,  no. 

Q.  I  believe  you  testified  that  there  was  only  one  instance  of 
him  wiping  the  unallocated  space,  right? 

A.  I  annotated  —  yes. 

Q.  And  he  didn't  wipe  it  in  April? 

A.  Again,  I  have  to  refer  to  the  log  to  confirm,  but  I  don't 
recall,  sir,  no. 

ADC [CPT  TOOMAN] :  Okay.  Could  I  have  Prosecution  Exhibit  125, 
please  [retrieving  the  document  from  the  court  reporter]?  I'm 

handing  the  exhibit  to  Mr.  Johnson. 

Q.  Mr.  Johnson,  would  you  please  review  those  logs  and  tell  me 
if  PFC  Manning  wiped  his  machine  or  if  there's  any  evidence  of  PFC 
Manning  wiping  his  machine  in  February  of  2010? 

[The  witness  did  as  directed  and  read  through  the  document] . 

A.  Yes,  there  is. 

Q.  What  did  he  do? 

A.  He  erased  his  machine  on  2-11-2010;  the  free  space. 

Q.  Okay,  and  what's  the  free  space? 

A.  The  unallocated  clusters.  I  do  stand  corrected. 

MJ:  And  what  was  the  date  of  that? 

WIT:  2-11,  ma'am.  However  - 
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1  Q.  Any  other  instances? 

2  A.  However,  sir,  I  will  have  to  annotate  that  it  was  stopped. 

3  Q.  That  was  stopped.  So  it  was  not  completed? 

4  A.  That's  correct. 

5  Q.  Okay.  Any  other  instances? 

6  A.  No,  sir  [looking  through  the  document] . 

7  ADC [CPT  TOOMAN] :  I'll  retrieve  the  exhibit  [retrieving  the 

8  document  from  the  witness  and  returning  it  to  the  court  reporter] . 

9  Q.  And  so  that  instance  in  February  was  stopped,  that  means 

10  that  nothing  was  wiped,  correct? 

11  A.  Only  the  first  —  whatever  was  wiped  in  the  first  two 

12  minutes,  sir. 

13  Q.  So  two  minutes.  And  I  think  you  testified  on  direct  that 

14  when  PFC  Manning  did  a  wipe  before  it  took  almost  four  hours? 

15  A.  Three  hours  —  something  —  yes,  sir. 

16  Q.  Three  hours  and  48  minutes? 

17  A.  Roughly  —  roughly,  sir,  somewhere  in  that  range. 

18  Q.  How  much  gets  wiped  in  two  minutes? 

19  A.  It  will  vary  depending  on  the  operating  system,  the  hard 

20  drive  —  not  a  large  amount. 

21  Q.  Very  little.  And  so  it  got  stopped  and  there's  no  —  no 

22  evidence  that  PFC  Manning  wiped  his  computer  in  any  other  time  in 

23  February? 
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A.  I  did  not  observe  any,  no. 

Q.  Nothing  in  March? 

A.  I  did  not  observe  any  further  entries  in  the  log,  sir. 

Q.  So  nothing  in  April? 

A.  No,  sir. 

Q.  Nothing  in  May? 

A.  No,  sir. 

ADC [CPT  TOOMAN] :  No  further  questions.  Thank  you,  Mr.  Johnson. 
MJ:  Redirect? 

ATC [CPT  MORROW]:  May  we  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[Pause] 

ATC [CPT  MORROW]:  Your  Honor,  may  we  have  a  ten  minute  recess, 
please? 

MJ:  Yes,  you  may.  Special  Agent  Johnson,  once  again,  please 

don't  discuss  your  testimony  or  knowledge  of  the  case  with  anyone 
during  the  recess,  okay? 

WIT:  Yes,  ma'am. 

MJ:  Counsel,  may  I  see  you  when  we  recess  for  just  a  brief 

second? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Court  is  in  recess. 

[The  court-martial  recessed  at  1154,  12  June  2013.] 
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[The  court-martial  was  called  to  order  at  1205,  12  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  The  witness  is  on  the  witness  stand.  Captain  Morrow. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

ATC [CPT  MORROW]:  Mr.  Johnson,  I  just  have  a  couple  questions. 
And  I  want  to  begin  by  talking  about  something  Captain  Tooman 
referred  to;  a  WikiLeaks  most  wanted  list.  I'm  retrieving 
Prosecution  Exhibits  109  for  Identification  and  Prosecution  Exhibit 
110.  Permission  to  publish  to  the  Court,  Your  Honor. 

MJ:  Yes. 

Q.  Let's  start  first  with  Prosecution  Exhibit  109  for 
Identification  [referring  to  the  image  on  the  projection  screen] . 

Mr.  Johnson,  I'd  just  like  you  to  read  the  top  of  the  page  there. 
What  does  this  say? 

WIT:  I'm  sorry,  sir,  that's  slightly  out  of  focus  for  me. 

ATC [CPT  MORROW]:  Oh,  let  me  see  if  I  can  help  you  out  here. 

[The  projection  image  was  adjusted.] 

ATC [CPT  MORROW]:  Better? 

WIT:  It's  as  good  as  it's  going  to  get,  sir. 

ATC [CPT  MORROW]:  Well,  just  in  - 

WIT:  I  can  read  that,  sir. 
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1  [The  projection  image  was  adjusted.] 

2  ATC [CPT  MORROW]:  Does  that  help? 


3 

WIT: 

Yes,  sir. 

4 

Q. 

What  does  it  say? 

5 

A. 

What  was  the  question  again,  sir? 

6 

Q. 

Just  read  starting  with  "draft". 

7 

A. 

Draft:  the  most  wanted  links  of  2009,  sort. 

8 

Q. 

And  at  the  very  top  of  the  page  what's  after  " 

sort 

"? 

9 

A. 

That  heading  line  includes  the  word  WikiLeaks 

as  well  as 

10 

page  number. 

11 

Q. 

Okay.  And  I'm  going  to  move  to  the  bottom  of 

the 

page . 

12 

Now,  at  the  very  bottom  with  HTTP: //web.  What  does  that 

- 

as  an 

13 

examiner. 

what  does  that  mean  when  a  page's  sort  of  got 

that 

line  c 

14 

information  at  the  bottom?  What  does  that  indicate  to  you? 

15 

A. 

It  would  indicate  to  me  that  this  was  probably 

a  printed 

16 

page  from 

a  website  and  that  bottom  URL  would  be  the  URL 

of 

the 

17 

website  being  printed. 

18 

Q. 

Okay.  And  now  let’s  just  go  up  and  let's  look 

at 

—  do  ; 

19 

see  a  box 

there,  has  a  series  of  numbers,  23Sudan,  24Syria? 

20 

A. 

Yes,  sir. 

21 

Q. 

Do  you  see  the  United  States  up  there? 

22 

A. 

Yes,  sir. 
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Q.  Okay.  I'm  going  to  flip  to  the  United  —  section  on  the 
United  States. 

ADC [CPT  TOOMAN] :  Objection,  Your  Honor.  Relevance. 

MJ:  Where  are  —  were  are  you  going  with  this? 

ATC [CPT  MORROW]:  I'm  going  to  a  specific  thing  that's  on  this 
list  that's  discussed  in  the  chat  logs. 

MJ:  Overruled. 

ATC [CPT  MORROW]:  Mr.  Johnson,  I'm  showing  you  Page  9  of 
Prosecution  Exhibit  109  for  ID.  and  beginning  with  the  line 
"opensource.gov",  can  you  read  just  everything  under  there  [referring 
to  the  image  on  the  projection  screen] ? 

A.  From  opensource.gov,  we  have  brief,  the  complete  CIA  open 
source  center  analytical  database.  The  database  is  extensive, 
unclassified,  non-public,  but  relatively  accessible  to  certain 
outsiders  after  jumping  through  hoops.  Despite  its  name,  you  need  to 
be  a  government  —  be  government  official  to  gain  access  to  it. 

Q.  Keep  going. 

A.  Entity;  opensource.gov,  and  it  provides  a  long  URL  there, 

sir. 

ATC [CPT  MORROW]:  Okay.  Now  I'm  going  to  publish  Prosecution 
Exhibit  110  [removing  one  document  from  the  projection  screen  and 
replacing  it  with  Prosecution  Exhibit  110].  And,  again,  I'm  going  to 
show  Page  9  of  that  exhibit.  And  if  you  could  read  the 


8508 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G  J 


opensource.gov  section  again,  please  [referring  to  the  image  on  the 
projection  screen] ? 

A.  0pensource.gov,  brief,  the  complete  CIA  open  source  center 
analytical  database.  The  database  is  extensive,  unclassified,  non¬ 
public,  but  relatively  accessible  to  certain  outsiders  after  jumping 
through  hoops.  Despite  its  name,  you  need  to  be  government  official 
to  gain  access  to  it. 

Q.  Would  you  agree  that  the  last  two  exhibits  that  that 
basically  paragraph  is  basically  the  same? 

A.  Yes,  sir. 

Q.  Almost  entirely  the  same? 

A.  I'd  have  to  look  at  them  side  by  side,  but  it  appears  to  be 
identical . 

Q.  Okay. 

MJ:  I'm  going  to  stop  you  here  for  just  a  moment.  Captain 

Morrow.  Prosecution  Exhibit  109  for  Identification  is  the  —  is  not 
admitted  pending  the  motion  that's  at  issue. 

ATC [CPT  MORROW]:  I  agree.  Your  Honor. 

MJ:  So  everything  that  you  went  through  with  the  witness  on  an 

unadmitted  document,  should  I  not  admit  it,  I'm  going  to  disregard 
everything  with  Prosecution  Exhibit  109  for  Identification. 

ATC [CPT  MORROW]:  I  understand.  Your  Honor. 

MJ:  Okay. 
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1  [Pause.] 

2  ATC [CPT  MORROW]:  I'm  retrieving  Prosecution  Exhibit  123.  And 

3  Mr.  Johnson,  I'm  going  to  show  you  Page  5  of  this  exhibit  [presenting 

4  the  document  on  the  projection  screen] . 

5  ATC [CPT  MORROW]:  One  moment,  Your  Honor. 

6  [Pause.] 

7  ATC [CPT  MORROW]:  I'm  sorry.  It  took  me  a  second  to  find  it. 

8  Q.  Mr.  Johnson,  I'm  showing  you  the  top  of  page  five  of 

9  Prosecution  Exhibit  123  [referring  to  the  image  on  the  projection 

10  screen] .  Can  you  read  that? 

11  A.  Yes,  sir. 

12  Q.  Okay.  I  want  —  I  want  to  start  from  this  —  basically  the 

13  second  line  down  where  it  says  "yeck".  Can  you  read  down  from  there, 

14  please? 

15  A.  The  following  line  —  are  you  referring  to  just  the  message 

16  text,  sir? 

17  Q.  Yeah.  Just  read  —  just  identify  the  party  who  is  saying 

18  it  and  then  identify  what's  being  said. 

19  A.  Yes,  sir.  The  next  line;  "pressassociation" ,  text  reading 

20  WL  action  that  were  considered  totally  radical  three  years  ago  are 

21  now  being  —  are  now  courted.  Next  line;  dawgnetwork,  I  told  you 

22  before,  government  organizations  can't  control  information.  The 

23  harder  they  try,  the  more  violently  the  information  wants  to  get  out. 
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The  following  line;  "pressassociation"  saying  to  2500  articles  in  .IS 
referendum  in  the  past  15  hours,  despite  it  being  a  Sunday. 

Q.  Can  I  ask  —  stop  you  there.  What  does  .IS  refer  to? 

A.  That  would  be  a  top  level  country  level  domain,  most 
likely. 

Q.  Do  you  know  what  country? 

A.  Not  offhand,  sir. 

Q.  Okay.  Keep  going. 

A.  Where  was  I?  Next  line;  dawgnetwork,  you're  like  the  first 
pin  to  pop  a  balloon.  Following;  "pressassociation"  saying  many 
other  things  like  this.  Following,  also;  "pressassociation", 
restrict  supply  equal  value  increases,  yes.  Next  line;  dawgnetwork, 
oh,  yeah,  OSC  went  haywire  digging  into  .IS. 

Q.  Let  me  stop  you  there.  Do  you  know  what  OSC  refers  to  in 
these  chats? 

A.  Open  source  center. 

Q.  Okay.  Keep  going. 

A.  The  next  line;  "pressassociation",  stating  U.S.  DOD  has 
another  tact  though,  dump  billions  in  free,  "news"  content.  Next 
line,  also;  "pressassociation",  yes  —  or  yay  —  pardon  me. 

Following  line,  also;  "pressassociation",  that's  something  we  want  to 
mine  entirety,  B  T  W. 
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Q.  Now,  when  "pressassociation"  say  that's  something  we  want 
to  mine  entirely  by  the  way,  what  are  they  referring  to? 

A.  My  opinion  would  be  they  are  looking  to  - 

ADC  [CPT  TOOMAN] :  Objection. 

MJ:  Sustained.  Speculation. 

Q.  Now,  what  does  "pressassociation"  say  below  that's 
something  we  want  to  mine  entirely  by  the  way? 

A.  That  line  it  reads,  I  had  an  account  there,  but  changed  IPS 
too  quickly. 

Q.  And  what  does  dawgnetwork  say? 

A.  The  following  line;  usually  it's  pretty  dull  reading,  one 
or  two  things  on  . IS  a  day,  but  it's  like  20-25  for  today  alone. 

Q.  Keep  going. 

A.  The  following  from  "pressassociation",  just  —  just  FBIs  or 
an  analysis  included.  Following;  dawgnetwork,  no  analysis,  too 
early.  Continuing;  dawgnetwork,  24  to  48  hours  it  takes  for 
analysis,  if  done. 

Q.  All  right,  let  me  stop  you  there.  What's  your 
understanding  of  what  open  source  center  is? 

A.  My  understanding  is  is  the  collection  by  the  intelligence 
commun  —  operation  and  intelligence  community  that  collects 
information  that  is  available  to  the  outside  world,  not  classified, 
but  it  is  publicly  available,  though  maybe  not  directly  or  easily 
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find.  It  would  include  things  such  as  news  sources,  various  public 
records,  databases  and  the  like. 

Q.  And  I  want  to  ask  you  one  more  thing;  when 
"pressassociation"  says  that's  something  we  want  to  mine  entirely  by 
the  way,  would  you  agree  that  "pressassociation" ' s  expressed  - 

ADC  [CPT  TOOMAN] :  Objection,  Your  Honor. 

MJ:  Just  —  just  —  let  me  —  let  him  ask  the  question.  Say  it 

one  more  time. 

Q.  Would  you  agree  that  "pressassociation"  is  expressing  some 
interest  in  something?  It's  hard  to  tell  what  they're  referring  to, 
but? 

A.  I  think  that's  a  reasonable  interpretation,  sir.  Yes,  sir. 

Q.  Now,  Captain  Tooman  asked  you  earlier  whether  there  was  any 
evidence  in  the  chats  that  "pressassociation"  asked  PFC  Manning  to 
give  them  anything.  And  you  said,  no,  there's  no  evidence  of  that. 

Do  you  still,  based  on  your  reading  of  that's  something  we  want  to 
mine  entirely  by  the  way,  do  you  still  feel  that  way? 

A.  I  couldn't  say  with  any  degree  —  that  doesn't  sound  like  a 
direct  question  to  me,  but  it's  definitely  something  of  interest. 

Q.  Okay.  Now,  Mr.  Johnson,  I  want  to  ask  you  about  the  disk 
utility  log.  Do  you  know  what  a  strongbox  is? 

A.  Strongbox  in  this  situation  refers  to  an  encrypted  file  we 
found  on  Private  Manning's  computer. 
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A. 

Q. 


Q.  Now,  what  is  the  extension  for  a  strong  box? 

A.  It  was  DMG. 

Q.  So  how  would  the  —  what's  essentially  the  file  —  what's 
the  file  name? 

A.  It  would  be  an  Apple  disk  image. 

Q.  And  you  said  it  was  encrypted? 

A.  Yes,  sir. 

Q.  Now,  were  you  able  to  open  this  strongbox? 

No,  sir. 

Do  you  recall  the  date  the  strongbox  was  created? 

A.  No,  sir.  I'd  have  to  refer. 

ATC [CPT  MORROW]:  I'm  retrieving  Prosecution  Exhibit  125. 

ADC [CPT  TOOMAN] :  Ma'am,  we  would  objection  to  this  line  of 
questioning  --  questioning.  What's  the  relevance? 

MJ:  Where  are  you  going  with  this? 

ATC [CPT  MORROW]:  Your  Honor,  the  defense  asked  several  questions 
about  what  could  be  recovered  from  the  computer.  I'm  simply 
inquiring  into  a  file  that  the  forensic  examiners  couldn't  open. 

MJ:  Overruled. 

ATC [CPT  MORROW]:  I'm  handing  you  the  disk  utility  log. 
Prosecution  Exhibit  125,  and  I'd  like  you  to  find  where  in  the  disk 
utility  log  the  strongbox  is  created. 
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A.  [Looking  at  the  document.]  Okay.  That  would  be  February 
11th,  2010. 

Q.  And,  again,  you  said  you  could  not  open  this  file? 

A.  Yes,  sir. 

Q.  Now,  when  a  file  is  encrypted,  are  you  able  to  tell  what's 
inside  the  file? 

A.  No,  sir. 

Q.  So  you'd  have  no  idea  how  large  this  file  is? 

A.  No,  sir,  not  at  that  time. 

ATC [CPT  MORROW]:  Thank  you.  I'm  handing  now  125  back  to  the 
court  reporter  [retrieving  the  document  from  the  witness  and  handing 
it  to  the  court  reporter] .  And  handing  123  back  to  the  court 
reporter. 

Q.  One  last  question.  Were  you  able  to  tell,  based  on  your 
examination,  whether  files  were  being  added  to  the  strongbox 
throughout  the  course  of  PFC  Manning's  deployment? 

A.  I  cannot  tell  that  files  were  being  added  or  removed. 
However,  the  log  indicates  that  that  file  had  been  expanded  several 
times,  thus  the  reason  I  could  not  determine  the  file  size  at  the 
time  you  asked. 

Q.  But  you  wouldn't  be  able  to  tell  the  size  of  the  files  in 
there  anyway? 

A.  The  internal  contents? 
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Q.  Yes. 

A.  No,  sir. 

Q.  I'm  sorry.  I  should  have  asked  this  when  I  had  123  in  front 
of  me,  but  in  your  opinion  were  the  chat  logs  with  "pressassociation" 
complete? 

A.  I  could  not  tell,  sir. 

Q.  Well  were  there  days  missing  between  5  March  and  18  March? 

A.  Yes,  sir. 

Q.  So  it  wasn't  5  March,  6  March,  7  March,  8  March? 

A.  No.  There  were  some  missing  days,  sir. 

ATC [CPT  MORROW]:  Thank  you.  I'm  handing  Prosecution  Exhibit  109 
for  Identification  back  to  the  court  reporter  and  Prosecution  Exhibit 
110. 

MJ:  Any  further  questions? 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  I  just  have  a  couple. 

WIT:  Yes,  ma'am. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  On  the  strongbox,  if  you  can't  tell  how  big  a  file  is,  how 
can  you  tell  if  it  gets  bigger? 

A.  The  --  we're  referring  to  --  his  question  was  the  contents 
of  the  —  what  was  put  into  the  strongbox.  The  strongbox  itself  is 
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the  container  file.  It's  sort  of  like  a  —  it  has  a  similar  function 
to  RARs  and  zips,  but  it's  an  Apple  specific  —  it  serves  a  different 
purpose.  So  I  can  tell  the  file  size  of  the  DMG  itself,  but  not 
what's  put  inside.  Does  that  answer  your  question,  ma'am? 

Q.  Yes.  So  is  this  a  large  file  or  a  small  file? 

A.  It's  fairly  significant  size,  sir  —  or  ma'am. 

[Pause . ] 

MJ:  All  right.  Anything  based  on  that  from  either  side? 

ATC [CPT  MORROW]:  No,  Your  Honor. 

ADC [CPT  TOOMAN] :  Just  briefly.  Your  Honor. 

RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Now,  Mr.  Johnson,  the  —  you  were  describing  the  strongbox 
getting  bigger.  Is  it  fair  to  say  the  —  would  it  be  fair  to  say  the 
strongbox  is  kind  of  like  a  partition;  you're  like  fencing  off  an 
area? 

A.  No,  sir,  it's  not.  It's  closer  to  a  zip  or  RAR  type  file. 
Q.  Okay.  The  space  got  bigger? 

A.  Yes,  sir. 

Q.  And  you  don't  know  what  was  in  there? 

A.  No,  sir. 

Q.  Could  have  been  anything? 

A.  Could  be  anything,  sir. 
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Q.  It  could  have  been  pictures  of  PFC  Manning? 

A.  It  could  be  anything,  sir.  I  have  no  indication  of  what's 

in  there. 

Q.  It  could  have  been  videos? 

A.  Possible. 

ADC [CPT  TOOMAN] :  Okay.  Thank  you. 

MJ:  Temporary  or  permanent  excusal? 

ATC [CPT  MORROW]:  Temporary,  Your  Honor. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

MJ:  Just  prior  to  reconvening  with  this  witness,  I  spoke  with 

counsel  briefly  in  R.C.M.  802  conference.  I  was  concerned  a  little 
bit  with  the  defense  line  of  questioning  regarding  PFC  Manning  was 
charged  with  a  variety  of  different  things  and  that  there  was  no 
evidence  in  the  —  that  the  witness  had  in  his  report  that  shows  a 
transfer.  And  I  was  concerned,  and  I  asked  Mr.  Coombs  if  the  defense 
was  challenging  the  transfers  other  than  the  Farah  video  in 
Specification  11  of  Charge  II  as  we've  already  had  a  plea  that 
established  those  elements. 

CDC [MR.  COOMBS]:  Yes,  Your  Honor.  And  in  response  to  that,  what 
we  are  challenging  is  the  date/time  period  which  the  government  has 
charged  these  releases,  not  that  PFC  Manning  did  them  or  not.  So  by 
pleading  by  exceptions  and  substitutions  we  pled  to  certain  dates. 
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which  we  believe  the  forensic  evidence  supports,  that  those  were  the 
dates  in  which  PFC  Manning  gave  the  information.  Unlike  what  the 
government  has  charged  in  the  Charge  Sheet  which  is  a  much  broader 
date  range. 

MJ:  All  right.  Thank  you.  Now,  looking  at  the  time,  is  this  a 

good  time  to  have  a  lunch  break? 

TC [MAJ  FEIN]:  Yes,  ma'am,  it  is. 

CDC [MR .  COOMBS]:  Yes,  Your  Honor. 

MJ:  Okay,  how  long  would  we  like  here? 

CDC [MR.  COOMBS]:  1330,  Your  Honor. 

MJ:  1330  work  for  both  sides? 

TC [MAJ  FEIN]:  It  does,  ma'am. 

MJ:  All  right.  Court  is  in  recess  till  1330. 

[The  court-martial  recessed  at  1226,  12  June  2013.] 

[The  court-martial  was  called  to  order  at  1336,  12  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  Are  there  any  issues  we  need  to  address  before  we  continue? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  All  right,  government,  call  your  next  witness. 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  two  stipulations 
to  be  read  onto  the  record.  The  numbers  are  Prosecution  Exhibit  117 
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and  Prosecution  Exhibit  119.  Your  Honor,  first  Prosecution  Exhibit 
117,  the  Stipulation  of  Expected  Testimony  for  Chief  Warrant  Officer 
5  Jon  Larue,  dated  10  June  2013. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  Chief  Warrant  Officer  5  John  Larue  were 
present  to  testify  during  the  merits  and  pre-sentencing  phases  of 
this  court-martial,  he  would  testify  substantially  as  follows: 

I  am  currently  assigned  to  the  Pentagon.  I  have  22  years 
of  experience  flying  helicopters  for  the  United  States  Army.  I  have 
been  a  pilot  since  1984.  I  entered  active  duty  in  1990.  From  1990 
until  1  January  2011,  I  was  an  Apache  helicopter  pilot.  After  1 
January  2011,  I  became  a  General  Aviation  Officer  in  light  of  my 
promotion  to  CW5. 

In  1991,  I  was  a  Cobra  pilot.  In  1993,  I  qualified  to  fly 
the  Apache  AH-64  Alpha  (AH-64Alpha) .  In  1998,  I  qualified  as  an 
instructor  pilot  on  the  AH-64Alpha.  I  have  flown  the  AH-64Alpha  in 
combat  in  Bosnia.  In  2000,  I  qualified  to  fly  the  AH-64Delta.  Later 
in  2000,  I  qualified  as  an  instructor  pilot  on  the  AH-64Delta.  I 
deployed  to  Kuwait  in  2002  as  part  of  Operation  Desert  Spring.  I 
deployed  to  Iraq  in  2003,  and  I  flew  in  combat  as  an  AH-64Delta  pilot 
in  Operation  Iraqi  Freedom.  I  deployed  to  Afghanistan  in  2008  and 
flew  combat  missions  during  that  deployment.  In  sum,  I  have 


8520 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


approximately  3000  hours  of  flight  time  and  approximately  200  hours 
of  combat  flight  time. 

From  2004-2008,  I  worked  at  Army  Tactics  Development  at 
Fort  Rucker.  In  this  position,  I  developed  combat  tactics.  In 
particular,  I  developed  tactics  driven  by  equipment,  especially 
survivability  equipment.  At  Army  Tactics  Development,  I  field  tested 
equipment,  verified  the  results,  and  developed  tactics,  techniques, 
and  procedures  (TIPs)  in  accordance  with  the  test  results. 

From  2008-2009,  I  was  the  tactical  operations  officer  for 
the  brigade  aviation  element  of  the  3rd  Brigade  Combat  Team  of  1st 
ID.  As  the  tactical  operations  officer,  I  managed  all  attack  and 
reconnaissance  aircraft  in  eastern  Afghanistan. 

Since  2009,  I  have  been  stationed  at  the  Pentagon  and 
worked  at  Department  of  the  Army  Military  Operations-Aviation  (DAMO- 
AV) .  At  DAMO-AV,  I  work  in  the  G-3/5/7,  which  manages  Army  Aviation. 
I  am  the  Aircraft  Survivability  Equipment  Action  Officer  at  DAMO-A  V. 

The  AH-64Delta  is  an  upgraded  version  of  the  AH-64Alpha. 

The  AH-64Delta  uses  digital  displays  whereas  the  AH-64Alpha  relies  on 
analog  displays. 

I  am  familiar  with  the  video  file  named  "12  JUL  07  CZ 
ENGAGEMENT  ZONE  30  GC  Anyone.avi"  (Apache  video)  because  I  reviewed 
the  video.  I  reviewed  the  Apache  video  for  sensitive  information,  to 
include  systems  capabilities  and  communications.  I  relied  on  my 
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experience  as  a  pilot,  instructor  pilot,  and  as  an  officer  in  charge 
of  developing  aviation  defensive  technologies.  I  also  relied  on  the 
Noble  Eagle  classification  guide,  which  set  classification  standards 
for  all  helicopter  videos  in  OPERATION  ENDURING  FREEDOM  and  then 
later  in  OPERATION  IRAQI  FREEDOM.  Finally,  I  considered  the  security 
classification  guide  for  the  Apache  helicopter  itself.  I  did  not 
consider  any  open  source  reporting  on  this  particular  incident.  I 
also  did  not  consider  the  fact  that  I  have  seen  similar  videos  with 
the  sensitive  information  visible  on  the  internet.  This  video  is 
Prosecution  Exhibit  15  for  Identification. 

The  Apache  video  shows  the  display  of  an  AH-64Delta.  I 

know  the  display  is  of  an  AH-64Delta  because  it  is  digital,  and  I 

have  extensive  experience  using  the  AH-64Delta  digital  display.  The 
Apache  video  shows  the  high-action  display.  The  high  action  display 
shows  the  use  of  a  laser  for  ranging,  altitude  and  air  speed.  The 

laser  also  shows  angles  of  engagement.  The  ranges  and  attack 

approaches  are  TTPs.  Based  on  my  experience  and  training,  TTPs  are 
sensitive  Army  Aviation  information.  Adversarial  forces  who  know 
TTPs  could  be  able  to  anticipate  United  States  operations  and  the 
adversarial  forces  will  be  able  to  plan  more  effective  attacks  as  a 
result.  The  high  action  display  also  shows  the  heading  tape,  which 
reveals  the  sensor  and  the  sensor's  acquisition  of  targets  and  other 
information.  This  display  of  the  sensor  in  action  could  be  used  to 
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1  determine  the  limitations  of  the  sensor's  capabilities.  Based  on  my 

2  experience  and  training,  the  sensor's  capabilities  are  sensitive  Army 

3  Aviation  information.  The  sensor  also  reveals  the  position  of  the 

4  helicopter  during  an  operation,  which  could  be  used  to  determine  more 

5  aspects  of  TTPs .  TTPs  are  a  puzzle,  and  revealing  any  piece  could 

6  make  solving  the  puzzle  easier  for  an  adversary. 

7  Videos  of  any  helicopter  combat  missions  are  recorded 

8  regularly  for  training  and  reviewed  for  effectiveness.  As  a 

9  helicopter  pilot,  I  have  been  taught  not  to  release  the  videos  to  the 

10  public  nor  to  reveal  the  sensitive  information  contained  therein.  As 

11  a  helicopter  instructor  pilot,  I  have  instructed  students  not  to 

12  release  the  video  nor  to  reveal  the  sensitive  information  contained 

13  therein. 

14  Helicopter  units  have  procedures  for  protecting  the  videos 

15  and  the  information  the  videos  contain.  In  my  experience  under  the 

16  procedures  employed  by  the  units,  all  videos  requiring  review  are 

17  turned  into  flight  operations  by  pilots  or  support  personnel.  The 

18  videos  are  reviewed  and  used  again  as  needed.  Thus,  the  information 

19  may  be  recorded  over  but  it  is  not  physically  released.  If  a  video 

20  contains  information  that  requires  being  saved,  the  video  is  ported 

21  over  to  a  system  on  the  SIPRNET .  After  the  information  is  secured  on 

22  the  SIPRNET,  the  tape  may  be  recorded  over  again.  In  my  experience, 

23  videos  that  are  physically  released  are  sanitized  for  the  types  of 
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1  information  described  in  Paragraph  8  above  of  this  stipulation  before 

2  the  video  is  publicly  released.  The  actual  video  footage  is  not 

3  classified.  Coupling  the  video  footage  with  the  a  makes  the 

4  information  sensitive. 

5  Your  Honor,  Prosecution  Exhibit  119,  the  Stipulation  of 

6  Expected  Testimony  from  Ms.  Jacqueline  Scott,  dated  10  June  2013. 

7  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

8  Trial  Counsel,  that  if  Ms.  Jacqueline  Scott  were  present  to  testify 

9  during  the  merits  and  pre-sentencing  phases  of  this  court-martial, 

10  she  would  testify  substantially  as  follows: 

11  I  am  employed  at  United  States  Central  Command  (USCENTCOM) , 

12  MacDill  Air  Force  Base,  Florida.  I  am  a  Freedom  of  Information 

13  Action  (FOIA)  Officer  and  the  Chief  of  the  FOIA  and  Privacy  Section. 

14  This  entails  reviewing  FOIA  requests  and  releasing  information  as 

15  appropriate  under  the  FOIA.  FOIA  requests  originate  from  various 

16  sources.  The  public  submits  request  for  information  under  the  FOIA. 

17  Additionally,  federal  agencies  receive  requests  for  information  under 

18  the  FOIA,  and  those  agencies  may  have  responsive  documents  that 

19  contain  USCENTCOM  equities.  Those  agencies  then  contact  USCENTCOM  to 

20  review  the  responsive  documents  requested  for  USCENTCOM  equities.  I 

21  have  worked  at  USCENTCOM  since  1995.  I  have  been  doing  FOIA  work 

22  since  1999.  I  have  worked  exclusively  on  FOIA  issues  since  2005.  I 
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1  was  previously  the  Branch  Chief  of  Management,  Records,  and  Forms, 

2  Personnel  Management,  FOIA,  and  Privacy. 

3  Currently,  the  FOIA  Office  handles  approximately  350 

4  requests  a  year.  Before  2002,  the  number  of  requests  a  year  was 

5  approximately  40.  The  FOIA  office  does  not  make  withholding 

6  decisions;  the  FOIA  office  only  makes  recommendations.  As  a  part  of 

7  the  FOIA  office,  I  am  the  first  person  to  see  the  mail  and  requests. 

8  When  a  request  is  received,  I  determine  if  USCENTCOM  has  the 

9  information  by  conducting  a  records  search.  I  also  may  have  —  may 

10  have  to  check  with  the  legal  office  to  see  if  there  is  an 

11  investigation  pending.  Sometimes  information  may  point  the  FOIA 

12  process  to  equities  involving  intelligence,  special  operations,  and 

13  planning,  among  others.  USCENTCOM  owns  the  information  I  review  for 

14  release  under  the  FOIA. 

15  After  a  FOIA  request  is  received,  a  member  of  the  FOIA 

16  office  conducts  a  first  scrub.  During  this  scrub,  any  information 

17  that  should  not  be  released  because  it  meets  an  exemption  under  the 

18  FOIA  is  placed  in  a  red  bracket  or  red  box.  Next,  a  member  of  the 

19  FOIA  team  verifies  the  exemption  with  the  equity  holder  —  excuse  me, 

20  owner.  Your  Honor.  The  review  is  conducted  by  a  subject  matter 

21  expert  (SME) .  The  SME  looks  through  any  requested  document  for 

22  specific  types  of  equities.  For  instance,  one  SME  looks  for  J-5 

23  equities  and  another  for  J-3  equities.  A  SME  works  exclusively  on 
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1  his/her  branch  of  equities  for  FOIA  requests.  If  a  SME  believes  that 

2  information  should  be  declassified,  the  information  is  taken  to  an 

3  original  classification  authority  (OCA)  with  the  authority  to 

4  declassify.  If  the  SME  verifies  a  classified  equity  with  the  owner 

5  of  the  equity,  the  information  is  marked  as  not  being  appropriate  for 

6  release. 

7  Redactions  are  mainly  used  for  classified  information, 

8  names  of  DoD  personnel,  and  anything  that  falls  under  the  (b) (3) 

9  exemption  of  FOIA.  The  (b) (3)  section  protects  personnel  assigned  to 

10  a  sensitive  overseas  routinely  deployed  unit.  Information  peltaining 

11  to  weapons  systems  is  also  not  released.  Section  (b) (5)  also  exempts 

12  information  and  applies  to  a  portion  of  USCENTCOM  FOIA 

13  investigations.  Section  (b) (5)  has  three  parts: 

14  (1)  pre-decisional  information;  (2)  attorney-client 

15  documents  or  privileges;  and  (3)  attorney  work  product.  Law 

16  enforcement  exemptions  under  section  (b) (7),  such  as  Inspector 

17  General  investigations,  also  warrant  exemption  from  disclosure  under 

18  the  FOIA.  The  FOIA  office  incorporates  the  factors  listed  in 

19  Executive  Order  (EO)  13526  into  decisions  regarding  redactions  of 

20  classified  information. 

21  There  is  a  20-day  mandate  in  the  timeline  for  responding  to 

22  FOIA  requests.  On  occasion,  a  10-day  extension  may  be  granted  where 

23  coordination  of  various  equities  requires  additional  time.  After 
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initial  review  the  legal  office  reviews  the  information  for  legal 
sufficiency.  The  legal  review  is  a  legal  opinion  about  the  FOIA 
determinations.  This  is  a  "GO/NO-GO  process."  If  it  is  a  "GO,"  then 
it  is  sent  back  to  the  FOIA  office  to  be  packaged  and  sent  to  the 
Chief  of  Staff  for  approval  and  signature  for  releasable  information. 
If  it  is  a  "NO-GO,"  then  the  legal  officer  states  the  deficiencies, 
if  any.  The  FOIA  office  responds  by  correcting  the  deficiencies  and 
the  information  is  resubmitted  for  legal  review. 

I  am  familiar  with  the  video  file  named  "12  JUL  07  CZ 
ENGAGEMENT  ZONE  30  GC  Anyone.avi"  (Apache  video),  which  is 
Prosecution  Exhibit  15  for  Identification  in  this  case  because  it  was 
the  subject  a  FOIA  request.  I  was  asked  to  review  the  records 
related  to  the  FOIA  request  for  the  Apache  video.  I  searched  for  the 
records.  I  reviewed  those  records.  I  did  not  find  the  Apache  video. 
The  records  indicated  that  the  Apache  video  was  not  released  subject 
to  any  FOIA  request.  The  AR  15-6  Investigation  related  to  the  Apache 
video  was  released  under  the  FOIA,  and  the  investigation  contained 
redactions  in  accordance  with  applicable  FOIA  exemptions. 

The  USCENTCOM  FOIA  office  received  a  request  for 
information  related  to  the  Farah  investigation.  The  investigation 
pertained  to  a  large  scale  civilian  casualties  (CIVCAS)  incident  in 
the  Farah  Province,  Afghanistan.  In  response  to  the  FOIA  request  for 
information  related  to  the  Farah  Investigation,  an  unclassified 
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1  executive  summary  was  released  on  or  about  18  June  2009.  The 

2  classified  investigate  officer  report  (Bates  numbers:  00378029 

3  through  00378065)  was  not  released  to  the  public.  No  other  document 

4  or  video  related  to  the  Farah  investigation  was  released  to  the 

5  public  in  response  to  a  FOIA  request  or  otherwise. 

6  On  30  July  2007,  CENTCOM  released  SIGACT  information  as  a 

7  FOIA  release  for  Significant  Activity  Report  (SIGACT)  data  from  2004, 

8  2005,  2006,  and  2007.  I  was  the  individual  that  posted  this 

9  information  to  the  FOIA  reading  room.  The  SIGACT  information 

10  released  gave  the  date  and  time  of  the  significant  activity,  the 

11  attack  type,  the  target  and  the  location  city  of  the  significant 

12  activity.  The  FOIA  release  did  not  include  all  of  the  information 

13  from  the  SIGACTs.  Only  that  information  that  was  declassified  by  an 

14  OCA  was  released  by  my  office. 

15  ATC [CPT  MORROW]:  United  States  recalls  Special  Agent  David 

16  Shaver. 

17  DAVID  SHAVER,  civilian,  was  recalled  as  a  witness  for  the 

18  prosecution,  was  reminded  of  his  previous  oath,  and  testified  as 

19  follows: 

20  DIRECT  EXAMINATION 

21  Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

22  ATC [CPT  MORROW]:  Agent  Shaver,  you  are  still  under  oath. 

23  WIT:  Yes,  sir. 
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Q.  Agent  Shaver,  what  is  a  SAM  or  SAM  file? 

A.  Sir,  that  is  a  system  —  system  access  manager.  What  that 
is  that's  part  of  the  Microsoft  security.  It  is  a  file  within  XP 
operating  system.  It  contains  both  the  user  names  and  part  of  the 
encrypted  password. 

Q.  Now,  what  do  you  mean  by  "a  part  of  the  encrypted 
password"? 

A.  Sir,  let  me  explain  it  —  I  got  to  explain  how  a  computer 
works . 

Q.  Okay.  Take  your  time. 

A.  Sure.  When  you  log  into  a  computer  you  type  your  password 
in,  it's  plain  text;  you  can  see  it.  Well,  what  the  computer  does  is 
it  takes  that  plain  text  password  and  passes  it  through  a 
mathematical  algorithm  and  creates  a  hash  value.  This  is  a  first 
step  of  a  security  feature.  Storing  passwords  in  plain  text  is  not 
very  smart.  Bad  people  can  get  them  very  easily.  So  once  it  does 
the  hash  value  it  then  breaks  it  up  into  basically  two  parts,  part 
goes  to  the  SAM  file,  part  of  it  goes  to  the  system  file.  This  is 
another  security  feature  to  have  a  password  --  the  hash  and  password 
broken  up  into  two  pieces.  And  then,  finally,  when  the  computer's 
running  the  system  files,  the  SAM  and  system  files  are  locked, 
whereas  a  normal  user  cannot  access  them. 
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Q.  Now,  what  user  of  a  computer  could  access  the  system  file 
and  the  SAM  file? 

A.  You  would  have  to  have  administrative  level  privileges  to 
do  this. 

Q.  And  if  you  don't  have  administrative  level  privileges  what 
is  another  way  you  can  view  the  SAM  or  system  file? 

A.  You  could  reboot  the  computer,  and  using  a  Linux  distro  — 
a  Linux  operating  system,  which  is  —  been  configured  to  run  off  of  a 
CD  --  so  it  doesn't  actually  install,  it  just  runs  from  it,  then  you 
can  navigate  to  the  SAM  or  system  file  and  then  view  the  contents. 

Q.  All  right,  let's  —  let's  back  up.  What  do  you  mean  by  — 
so  what  is  Linux,  first? 

A.  Sir,  that's  just  another  operating  system. 

Q.  And  what  do  you  mean  by  booting  the  computer  from  a  CD? 

A.  Well,  you  first  off,  you  need  to  download  from  the  internet 
a  Linux  distribution.  You'd  burn  it  from  an  ISO  file,  which  you 
download,  and  burn  it  to  a  CD.  Then  you  would  just  basically  —  when 
the  computer  boots  up,  you  would  see  like  the  Dell  screen,  for 
example,  it  may  say  something  --  press  F9  to  boot  from  CD. 

Q.  Now,  let  me  stop  there.  Where  would  you  find  a  Linux 
operating  system?  Just  —  it's  free  on  the  internet? 

A.  Yes,  sir. 
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Q.  And  if  you  burned  a  CD  with  a  Linux  operating  system  on  it, 
at  least  on  a  Macintosh  computer  or  Apple  —  Macbook  Pro,  where  would 
see  evidence  of  that? 

A.  That  would  be  the  disk  utility  log  file. 

ATC[CPT  MORROW]:  Retrieving  Prosecution  Exhibit  125.  I'm 
handing  the  witness  Prosecution  Exhibit  125. 

Q.  Agent  Shaver,  do  you  recognize  that  document? 

Urn  [looking  at  the  document]  - 

Q.  Take  a  couple  minutes  to  review  it,  please. 

A.  Yes,  sir,  this  appears  to  be  the  disk  utility  log  file. 

Q.  And  did  you  review  this  disk  utility  log  file? 

A.  Yes,  sir,  I  did. 

Q.  And  when  you  reviewed  it,  did  you  observe  any  activity  that 
14  would  suggest  that  a  Linux  operating  system  was  burned  to  a  CD? 

A.  Yes,  sir. 

Q.  And  can  you  point  out  —  multiple  places  or  just  one  place? 

[Looking  at  the  document]  There  are  multiple  places,  sir. 

Q.  What's  the  first  example? 

A.  Line  112. 

Q.  Okay. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor? 

MJ:  Go  ahead. 


1 

Q. 

2 

at  least 

3 

you  see  < 

4 

A. 

5 

ATC 

6 

handing  1 

7 

Q. 

8 

A 

9 

Q. 

10 

A. 

11 

Q. 

12 

A. 

13 

Q. 

14 

would  sue 

15 

A. 

16 

Q. 

17 

A. 

18 

Q. 

19 

A. 

20 

Q. 

21 

ATC 

22 

MJ: 

8531 


o 


J 


1  ATC [CPT  MORROW]:  I  am  publishing  Page  3  of  Prosecution  Exhibit 

2  125. 

3  Q.  Agent  Shaver,  can  you  explain  the  information  contained  in 

4  line  112  and  below,  please  [referring  to  the  image  on  the  projection 

5  screen] ? 

6  A.  Sure.  Yes,  sir.  On  February  1st,  2010,  at  1317  hours 

7  local  time,  burning  —  the  burning  image  —  the  file  name  "assist  and 

8  rescue-s86-l . 3 . 5 . ISO",  it  talks  about  the  log  file.  Then  shows  it 

9  preparing  data  for  burning.  Opening  session.  Writing  session. 

10  Closing.  Verification.  And  then  finally  line  129  says  "burn 

11  complete  successfully". 

12  Q.  And  based  on  your  review  of  the  disk  utility  log,  did  you 

13  observe  —  or  what  are  the  other  dates  you  observed  —  approximately 

14  observed  a  - 

15  A.  Early  March  2010. 

16  ATC [CPT  MORROW]:  I'm  publishing  Page  8  of  Prosecution  Exhibit 

17  125. 

18  Q.  Again,  explain  the  information  in  line  365  [referring  to 

19  the  image  on  the  projection  screen] . 

20  WIT:  Sir,  can  you  slide  that  a  little  further  up  - 

21  ATC [CPT  MORROW]:  Sure. 

22  WIT:  -  so  I  can  see  it  further  down? 

23  ATC [CPT  MORROW]:  Sure. 
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1  WIT:  Other  way. 

2  ATC [CPT  MORROW]:  Other  way. 

3  A.  Yes,  sir.  Line  365  says  on  March  2nd,  2010,  17:48:51  hours, 

4  burning  image  system  rescue  CD-X86-1 . 3 . 5. ISA.  And  then  at  line  382 

5  it  shows  that  the  burn  completed  successful. 

6  Q.  Now,  again,  what  is  the  .ISO  mean? 

7  A.  That's  an  image  file  for  a  CD. 

8  Q.  Okay,  and  how  do  you  know  that's  —  just  looking  at  that, 

9  how  do  you  know  that's  a  Linux  operating  system? 

10  A.  I  have  actually  burned  this  disk  to  CD  and  utilized  it  — 

11  viewed  the  contents. 

12  Q.  Now,  let's  say  that  you  boot  a  SIPRNET  computer  using  a  CD 

13  with  Linux  on  it,  how  would  you  view  the  SAM  file? 

14  A.  What  you  do  is  boot  to  CD,  the  operating  system  would  come 

15  up,  you  would  have  to  basically  mount  the  hard  drive.  "Mounting"  is 

16  making  it  accessible  to  the  operating  —  the  Linux  operating  system, 

17  navigate  to  the  SAM  file,  and  you  would  use  a  Hex  Editor  to  view  the 

18  context. 

19  Q.  What's  a  "Hex  Editor"? 

20  A.  Sir,  that  is  a  —  to  view  the  contents  of  Microsoft  Word 

21  document  you  would  use  the  program  Microsoft  Word.  The  SAM  file  is  a 

22  database.  It's  a  registry  file.  It's  —  it's  a  complicated  file, 

23  but  a  Hex  Editor  can  view  the  contents. 
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ATC [CPT  MORROW]:  Retrieving  Prosecution  Exhibit  130  for 
Identification  [retrieving  the  document  from  the  court  reporter] .  I'm 

handing  the  witness  Prosecution  Exhibit  130  for  Identification. 

Q.  Do  you  recognize  those  images? 

A.  Yes,  sir,  I  do. 

Q.  And  what  are  they? 

A.  These  are  two  screenshots  I  created.  The  first  one  is  of  a 

chat  that  was  recovered  from  PFC  Manning's  personal  Macintosh.  The 
second  is  a  screenshot  of  the  EnCase  program  viewing  the  SAM  file 
from  the  .22  computer. 

ATC [CPT  MORROW]:  Okay.  Permission  to  publish.  Your  Honor 
[retrieving  the  document  from  the  witness] . 

MJ:  Go  ahead. 

Q.  Can  you  see  that.  Special  Agent  Shaver  [referring  to  the 
image  on  the  projection  screen] ? 

A.  Yes,  sir. 

Q.  Okay  —  well,  let's  start  here.  Do  you  see  the  line  that 
says  "dawgnetwork"  and  there's  a  series  of  numbers  and  letters  — 
80C1104  ? 

A.  Yes,  sir. 

Q.  What  is  that? 

A.  That  is  a  hex  value,  a  part  of  the  SAM  file  from  .22  or 

.40. 
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1  Q.  And  how  do  you  know  that? 

2  A.  I  examined  both  computers,  specifically  the  SAM  file,  but 

3  the  entire  computer  both  the  allocated  and  nonallocated  to  find  that 

4  unique  string.  And  it  was  only  located  within  the  SAM  file  of  either 

5  the  .22  or  .40  computer. 

6  Q.  Now,  based  on  the  presence  of  that  string  of  numbers  and 

7  characters  in  the  chats,  what  does  that  tell  you? 

8  A.  Somebody  had  gained  access  to  the  SAM  file  to  find  that 

9  unique  string. 

10  Q.  Other  than  being  administrator,  is  that  the  only  way  you 

11  would  be  able  to  gain  access  to  that  string  of  numbers  and  letters? 

12  A.  There  may  be  some  hacker  tools  out  there  that  can  do  it, 

13  but  the  most  common  way  would  be  to  use  a  Linux  CD  to  do  this. 

14  Q.  Now  did  you  verify  whether  the  SIPRNET  computers  associated 

15  with  PFC  Manning  could  be  booted  from  a  CD? 

16  A.  Yes,  sir.  I  turned  it  —  I  turned  it  back  into  a  virtual 

17  machine. 

18  Q.  Okay,  again,  let's  stop.  What's  a  "virtual  machine"  again? 

19  A.  Sir,  again  a  "virtual  machine"  is  just  the  —  your  computer 

20  would  be  the  host,  in  my  case  it  was  a  Windows  machine,  but  the  guest 

21  operating  system,  the  virtual  computer,  could  be  anything,  Linux, 

22  Mac,  Windows. 
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1  Q.  And  explain  the  process  of  booting  that  you  went  through 

2  here. 

3  A.  Very  simple.  I  just  burned  the  same  system  rescue  CD  that  I 

4  found  on  PFC  Manning's  personal  Macintosh  computer,  burned  it  to  CD. 

5  Restored  the  virtual  —  created  the  virtual  machine,  and  the  booted 

6  the  virtual  machine  from  that  CD. 

7  Q.  And  once  you  booted  the  virtual  machine,  what  did  you  do 

8  next? 

9  A.  I  then  navigated  to  the  SAM  file,  and  I  was  using  the  —  a 

10  Hex  Editor,  was  able  to  view  the  contents. 

11  Q.  And  ultimately,  why  would  somebody  be  —  somebody  be 

12  interested  in  the  contents  of  a  SAM  file?  What's  contained  in  that? 

13  A.  Again,  user  names. 

14  ADC [CPT  TOOMAN] :  Objection.  It  calls  for  speculation. 

15  MJ:  Do  you  know  what's  in  there? 

16  WIT:  Yes,  ma'am. 

17  MJ:  Overruled. 

18  A.  User  names  and  part  of  a  pass  —  hash  of  a  password. 

19  Q.  And,  finally,  what's  a  "rainbow  table"? 

20  A.  A  "rainbow  table".  Every  —  we  talked  about  passwords  or 

21  hash  values;  that's  how  they  use  mathematical  value  and  create  hash 

22  value.  Rainbow  tables  are  —  it's  a  concept.  And  what  you  do  is  you 

23  pregenerate  known  hash  values.  So  you  have  dictionary  attacks  that 
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1  have  already  generated  hash  values,  so  —  and  then  you  have  a  program 

2  that  checks  it.  This  is  —  the  pass  --  the  hash  value  to  see  if  they 

3  match.  It  would  speed  up  cracking  or  decrypting  passwords. 

4  Q.  And  why  do  you  use  a  rainbow  table? 

5  A.  It's  —  it  takes  —  it's  faster  to  decrypt  a  file  —  a 

6  password.  In  this  case  you  have  the  hash  value  of  a  user  account; 

7  the  rainbow  tables  would  be  tailored  to  attack  that.  It  would  take 

8  just  moments  on  a  good  computer  to  crack  a  password. 

9  Q.  And  in  this  case  the  hash  value  80C1104,  what  was  that  hash 

10  value  associated  with  in  the  SAM  file? 

11  A.  That's  the  thing,  sir,  in  this  case,  the  person  who  did 

12  this  only  got  part  of  the  hash  value.  It's  not  quite  right.  But  it 

13  appears  to  be  from  the  user's  account  FTP  user. 

14  Q.  What  is  the  FTP  user  account? 

15  A.  That's  just  a  user  account  that  was  on  both  22  and  40  as 

16  probably  part  of  the  original  build  that  was  pushed  out.  It  would 

17  just  be  another  local  account  on  the  computer. 

18  ATC [CPT  MORROW] :  Your  Honor,  the  prosecution  moves  to  admit 

19  Prosecution  Exhibit  130  for  Identification  into  evidence  as 

20  Prosecution  Exhibit  130. 

21  ADC [CPT  TOOMAN] :  No  objection.  Your  Honor. 

22  MJ:  All  right.  Prosecution  Exhibit  130's  admitted.  May  I  see 

23  it,  please? 
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1  [The  assistant  trial  counsel  handed  the  document  to  the  Military 

2  Judge] . 

3  MJ:  Thank  you. 

4  ATC [CPT  MORROW]:  Thank  you.  Agent  Shaver. 

5  MJ:  Cross-examination? 

6  ATC [CPT  MORROW]:  I'm  handing  — 

7  MJ:  I'm  sorry. 

8  ATC [CPT  MORROW]:  —  Exhibit  125  back  to  the  court  reporter 

9  [handing  the  document  to  the  court  reporter] . 

10  CROSS-EXAMINATION 

11  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

12  Q.  Good  afternoon.  Agent  Shaver? 

13  A.  Good  afternoon,  sir. 

14  Q.  Now,  you  just  testified  that  the  hash  value  that  was 

15  included  in  the  chat  was  not  the  full  hash  value? 

16  A.  That  is  correct. 

17  Q.  So  in  order  for  a  person  to  actually  gain  access  to  the 

18  passwords  contained  in  the  SAM,  they  would  have  needed  more  of  the 

19  hash  file? 

20  A.  Yes,  sir.  Remember  —  I  mentioned  the  system  file,  you 

21  would  need  that  part  as  well. 

22  Q.  Okay.  So  the  hash  value  included  in  the  chat  wouldn't  be 

23  enough  to  actually  gain  any  passwords  or  user  information? 
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1  A.  Correct. 

2  ADC [CPT  TOOMAN] :  Okay.  No  further  questions.  Thank  you. 

3  MJ:  Redirect? 

4  ATC [CPT  MORROW]:  No,  Your  Honor. 

5  MJ:  Temporary  or  permanent  excusal? 

6  ATC [CPT  MORROW]:  Temporary,  Your  Honor. 

7  [The  witness  was  temporarily  excused,  reminded  of  the  previous 

8  warning,  and  withdrew  from  the  courtroom.] 

9  TC [MAJ  FEIN]:  The  United  States  asks  for  a  10-minute  recess. 

10  That  went  a  little  faster  than  we  planned  —  just  to  get  the  next 

11  witnesses  files. 

12  MJ:  All  right.  Court  is  recessed  until  ten  after  1400  or  2 

13  o'clock. 

14  [The  court-martial  recessed  at  1404,  12  June  2013.] 

15  [The  court-martial  was  called  to  order  at  1416,  12  June  2013.] 

16  MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

17  the  parties. 

18  TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  all  parties  when  the 

19  Court  last  recessed  are  again  present  with  the  exception  of  Captain 

20  Morrow,  also.  Captain  Whyte  and  CPT  von  Elten  are  present. 

21  MJ:  Thank  you. 

22  ATC [CPT  von  ELTEN]:  Ma'am,  the  United  States  calls  Greg  Weaver. 
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1  GREGORY  WEAVER,  civilian,  was  called  as  a  witness  for  the 

2  prosecution,  was  sworn,  and  testified  as  follows: 

3  DIRECT  EXAMINATION 

4  Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

5  Q.  Are  you  Greg  Weaver  of  Bristow,  Virginia? 

6  A.  Sir,  yes,  I  am. 

7  Q.  Good  afternoon,  Mr.  Weaver. 

8  A.  Good  afternoon,  sir. 

9  Q.  What  is  your  military  experience? 

10  A.  Sir,  I'm  a  retired  noncommissioned  officer.  I  retired  in 

11  1997  as  a  combat  arms  NCO.  My  last  duty  assignment  was  out  of  the 

12  Pentagon. 

13  Q.  And  what  did  you  do  in  your  last  duty  assignment? 

14  A.  In  my  last  duty  assignment  for  the  military,  sir,  I  was  the 

15  Army  Operations  Center  team  lead  working  24/7  operations  in  the  Army 

16  Op  Center,  directly  reporting  to  the  Secretary  and  Chief  Staff  of  the 

1 7  Army . 

18  Q.  What  is  your  current  position? 

19  A.  Sir,  today  I  lead  a  compliance  branch  team  of  military  and 

20  civilian  personnel;  the  compliance  branch  underneath  the  Compliance 

21  Division  of  Army  Cyber  Command,  a  newly  formed  organization  to  stand 

22  up  and  report  on  compliance  activities  across  the  Army. 

23  Q.  And  what  else  does  that  entail? 
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1  A.  Sir,  predominantly  we  —  we  are  the  reporting  agency  for 

2  all  inspections  —  all  compliance  inspections  across  the  Army,  the 

3  conduct  of  lessons  learned,  the  computer  network  defense  service 

4  providing  services  associated  with  our  Cybers  Mission,  plus  a  number 

5  of  administrative  duties. 

6  Q.  Mr.  Weaver,  what  is  "information  assurance"? 

7  A.  Sir,  "information  assurance"  —  the  foundation  principles 

8  of  information  assurance  is  a  unified  approach  by  which  we  get  after 

9  the  confidentiality,  integrity,  and  availability  —  non-refutation  of 

10  systems  —  of  information  systems,  and  information  in  general  to 

11  ensure  its  security  and  reusability  or  usability  within  the  Army. 

12  It's  a  —  it's  not  a  standalone  —  not  a  standalone  concept,  but  it 

13  incorporates  many  facets  of  other  security  disciplines  and  not  just 

14  information  assurance. 

15  Q.  What  metrics  do  you  use  to  measure  information  assurance? 

16  A.  Sir,  there's  many  metrics  to  —  to  measure  information 

17  assurance.  One  of  them  would  be  compliance  inspections.  One  of  them 

18  would  be  reporting  —  assessments  in  general  —  how  well  an 

19  individual  or  organization  is  evaluated  from  an  operational 

20  standpoint  as  to  how  well  they  perform  information  assurance,  using 

21  guidelines,  STIGS,  standards,  checklists,  best  practices,  and  so 

22  forth. 

23  Q.  And  how  long  have  you  been  in  this  position? 
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A.  In  this  position,  sir?  Just  over  —  since  November  of 

2011. 

Q.  What  position  did  you  hold  prior  to  your  current  one? 

A.  Prior  to  this  I  was  a  contract  support  to  —  to  the 

Department  of  Defense  and  the  Defense-wide  Information  Assurance 
Program  at  the  DoD  CIO's  office  serving  capacity  as  a  subject  matter 
expert  in  the  —  in  the  areas  of  information  assurance,  computer 
network  defense,  and  other  technical  --  or  technology  areas 
associated  with  policy  and  procedures. 

Q.  How  long  did  you  hold  that  position? 

A.  Sir,  it  was  just  over  13  months. 

Q.  What  certifications  do  you  possess? 

A.  Sir,  currently  I  am  a  Certified  Information  Systems 
Security  Professional  the  —  and  a  SANS  Global  Information  Assurance 
certified  incident  handler. 

Q.  What  does  the  CISSP  certification  mean? 

A.  Sir,  it's  the  —  it's  the  top  level  preeminent  security 
professional  security  certification  required  for  —  for  information 
assurance  professionals  within  the  DoD  and  it's  an  industry 
recognized  certificate  for  the  industry  in  general. 

Q.  Why  do  you  have  that  certification? 

A.  Two  reasons.  Professional  respect  and  responsibility  of 
the  profession,  so  it  serves  as  the  —  an  indicator  of  the  expertise. 
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And,  secondly,  it  is  a  requirement  within  the  Army  if  you  maintain  an 
information  assurance  position  to  hold  such  certifications  as  they 
are  identified  by  your  duty  description  or  position. 

Q.  And  what  does  your  SANS  certification  signify? 

A.  The  SANS  certification  is  a  —  is  a  longstanding 
certification  I've  maintained  since  2001.  It  is  the  certifying 
information  --  it's  a  certificate  of  ability  to  perform  incident 
response,  incident  handling,  for  systems  and  networks  that  have  had 
an  intrusion  or  an  event.  Basically  how  to  prepare  for,  respond, 
react,  and  follow-up  with  any  system  or  network  that  may  have  been 
intruded  upon  or  events  that  may  have  occurred  on  a  network. 

Q.  How  long  have  you  been  working  in  information  assurance? 

A.  Sir,  since  1998. 

Q.  What  were  you  doing  when  you  began  working  in  information 
assurance? 

A.  Sir,  when  I  began  I  originally  started  in  this  career  field 
after  I  retired  from  the  service.  I  was  a  team  member  of  the  Army 
Computer  Emergency  Response  Team;  contractor  support  in  support  of 
the  Army's  cert  standing  out  and  formalizing  a  brand  new  organization 
to  establish  computer  emergency  response  processes  within  the  Army 
and  across  the  five  theaters  that  we  had  at  the  time  and  their  cert 
procedures  and  then  —  as  well  as  or  reporting  to  and  supporting  the 


8543 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


Department  of  Defense  —  DoD,  DISA,  and  at  the  time  JTF  GnO,  which  is 
now  Cyber-Command. 

Q.  Let's  talk  a  little  bit  about  AR  25-2. 

A.  Yes. 

Q.  Are  you  familiar  with  it? 

A.  Yes,  sir. 

Q.  How  are  you  familiar  with  it? 

A.  In  2000  —  2002,  I  began  work  with  the  Army  CIO/G6  —  by 
leaving  the  Army  Computer  Emergency  Response  Team  and  went  to  the 
Army  CIO/G.  My  primary  duties  and  responsibilities  when  I  got  there 
was  the  authoring  of  AR  25-2,  and  then  predominantly  was  the  sole 
author  and  responsibility  for  creating,  staffing,  collaboration,  and 
eventual  publication  of  AR  25-2. 

Q.  What  version  did  you  write? 

A.  The  initial  version,  which  it  was  published  in  2003,  and 
then  the  two  subsequent  versions  in  2007,  and  then  the  Rapid  Action 
revision  in  2009. 

Q.  And  how  many  versions  are  there? 

A.  Currently  2009  Rapid  Action  revision  is  the  current  25-2. 

Q.  What  was  the  first  version? 

A.  It  was  just  Information  Assurance  25-1 [sic],  dated  2003. 

Q.  How  long  did  you  spend  drafting  AR  25-2? 


8544 


C 


O 


1  A.  I  spent  approximately  nine  months  of  dedicated  efforts  to 

2  creating  and  drafting  the  Information  Assurance  Regulation  from  — 

3  from  the  DoD  and  the  Army  directives  at  the  time. 

4  Q.  What  other  documents  related  to  AR  25-2  have  you  drafted? 

5  A.  I've  had  direct  authorship  of  approximately  18  best 

6  business  practices  over  the  course  of  about  4  years  from  2003  to 

7  2007;  either  the  principal  author  or  co-author  of  these  best  business 

8  practices. 

9  Q.  What  is  AR  25-2? 

10  A.  Sir,  AR  25-2  establishes  the  standards  and  processes  and 

11  procedures  by  which  regulatory  requirements  of  Army  efforts  to 

12  instill  or  imp  —  or  to  apply  information  assurance  practices  for  the 

13  network  security  across  the  Army. 

14  Q.  To  whom  does  AR  25-2  apply? 

15  A.  Sir,  it  applies  to  everybody.  And  if  you  sit  on  or  —  it 

16  applies  to  all  users.  Obviously  are  applicable  to  —  are  responsible 

17  for  filing  AR  25-2,  commanders,  designating  accredited  officials  are 

18  resp  —  are  required  to  follow  the  rules  and  policies  associated  with 

19  AR  25-2  in  the  design  of  their  systems  and  incorporate  IA  principles 

20  in  the  policy.  Army  Reserve,  National  Guard,  medical  community.  Corps 

21  of  Engineers,  and  so  forth.  So  it  applies  to  everybody  within  the 

22  Army . 
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ATC [CPT  von  ELTEN] :  I'm  retrieving  Prosecution  Exhibit  93  for 
Identification  [retrieving  the  document  from  the  court  reporter] . 

MJ:  Captain  von  Elten  [referring  CPT  von  Elten  to  the  court 

reporter] . 

ATC [CPT  von  ELTEN]:  Handing  it  to  the  witness. 

WIT:  Thank  you. 

Q.  Do  you  recognize  that  document,  Mr.  Weaver? 

A.  Yes  I  do,  sir.  It's  AR  25-2. 

Q.  What  is  it? 

A.  It  is  the  Rapid  Action  revision,  dated  23  March  2009. 

Q.  How  do  you  recognize  it? 

A.  It  is  the  format  by  which  the  Army  publishes  Army 
regulations.  This  one  is  in  single  page  format. 

ATC [CPT  von  ELTEN]:  Ma'am,  the  United  States  offers  Prosecution 
Exhibit  93  for  Identification. 

MJ:  Is  that  one  of  the  things  I  took  judicial  notice  of? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  Is  there  —  the  things  I  took  judicial  notice  of  are  they 

already  admitted  or  are  you  admitting  them  now? 

ATC [CPT  VON  ELTEN]:  Ma'am,  they  have  not  been  separately  marked 
at  all. 

MJ:  Okay. 
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ATC [  CPT  von  ELTEN] :  Although  we  have  taken  judicial  notice 

and  the  government  and  defense  still  —  well,  the  government  has  the 
consolidated  list  for  the  Court  and  has  not  given  that  to  the  Court 
yet.  But  none  of  the  items  have  been  printed  or  marked. 

MJ:  All  right,  any  objection.  Defense? 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  Thank  you.  May  I  see  it,  please? 

[The  assistant  trial  counsel  handed  the  document  to  the  Military- 
Judge  .  ] 

MJ:  Thanks  very  much.  Prosecution  Exhibit  93' s  admitted. 

ATC [CPT  von  ELTEN]:  Retrieving  it  from  the  witness. 

Q.  Mr.  Weaver,  let's  talk  a  little  bit  about  acceptable  use 
policies . 

A.  Yes,  sir. 

Q.  What  is  an  "acceptable  use  policy"? 

A.  Sir,  an  "acceptable  use  policy"  is  mandated  by  DoD  for  all 
users  to  acknowledge  and  comply.  It's  a  signature  --  with  a 
signature.  It  outlines  the  procedures  and  then  policies  associated 
with  appropriate  use  of  government  systems  and  --  on  a  government 
network  or  systems  in  general  as  provided  by  the  government  to 
outline  the  standards  and  process  —  to  outline  the  standards  by 
which  users  are  held  accountable  to  conduct  and  behavior  while  on  or 
operating  with  that  system. 
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ATC [CPT  von  ELTEN] :  Permission  to  publish,  ma'am. 

MJ:  Go  ahead. 

Q.  Mr.  Weaver,  do  you  recognize  this  section  [referring  to  the 
image  on  the  projection  screen] ? 

A.  I  do,  sir. 

Q.  And  what  is  it? 

A.  This  is  one  of  the  subparagraphs  — 

ADC [CPT  TOOMAN] :  We're  going  to  object  based  on  relevance. 

PFC  Manning  in  Charge  III  charges  violating  very  specific  sections  of 
25-2;  this  is  not  one  of  these  sections. 

MJ:  Where  are  you  going  with  this? 

ATC [CPT  von  ELTEN]:  To  establish  the  framework  by  which  25-2 
establishes  acceptable  uses. 

MJ:  Is  this  going  to  be  a  long  discussion? 

ATC [CPT  von  ELTEN]:  No,  ma'am. 

MJ:  All  right.  I'm  going  to  overrule  the  objection.  Go  ahead. 

Q.  What  does  the  acceptable  use  policy  do? 

A.  So,  sir,  what  you  see  here  is  the  wording  banner  that  is 
prescribed  as  a  requirement  to  access  any  information  system.  It  is 
the  warning  banner  that  is  part  of  the  display  of  any  users'  access 
to  an  information  system,  and  the  users  agreement  is  —  outlines  the 
standards  by  which  that  access  is  —  is  also  permitted  in  addition  to 
the  warning  banner  that  is  prescribed  by  DoD. 
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1  Q.  What  use  is  - 

2  MJ:  Captain  von  Elten,  what  pages  of  the  regulations  is  —  am  I 

3  looking  at? 

4  ATC [CPT  von  ELTEN]:  Page  26,  ma'am. 

5  MJ:  Thank  you. 

6  Q.  What  uses  does  it  authorize? 

7  A.  The  —  the  AUP  outlines  the  appropriate  use  of  the 

8  information  system  other  than  —  or  in  addition  to  the  additional 

9  authorized  use  of  that  —  of  that  system  for  conduct  of  government 

10  business  —  business.  This  warning  banner  also  outlines  that  there's 

11  no  expectation  of  privacy  with  that  use,  with  the  exception  of  that 

12  which  is  already  fundamentally  controlled  by  other  law  or  policies 

13  such  as  legal  or  medical  restrictions. 


14 

Q. 

How  are 

government  needs 

determined? 

15 

A. 

How  are 

government  means 

determined? 

16 

Q. 

How  are 

government  needs 

determined? 

17 

A. 

Needs  are  determined  by  ■ 

—  by  —  usually  by  the  mission  or 

18  by  the  command  or  by  the  organization  that  owns  that  system  or  has 

19  accredited  that  system  for  use  decides  or  determines  what  that  need 


20  is. 


21  Q.  Are  AUPs  required? 


22  A.  AUPs  are  required,  yes,  sir. 


23  Q.  How  long  have  they  been  required? 
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1  A.  Since  this  —  this  Regulation  25-2  —  this  version  was  a 

2  Rapid  Action  revision  because  of  the  requirement  by  DoD  to  change  and 

3  mandate,  the  acceptable  use.  So  in  2009  this  RAR  was  published. 

4  Q.  Why  are  AUPs  used? 

5  A.  The  AUPs  are  basically  an  agreement  between  the  government 

6  or  the  organization  and  the  user.  The  user  signs  it  understanding 

7  that  the  rules  and  responsibilities  they  have  on  that  network  are  the 

8  rules  and  responsibilities  that  they  have  in  the  performance  of  their 

9  duties  as  well  as  acknowledge  their  —  their  responsibilities  and 

10  when  —  when  authorized  —  when  you  can  use  the  government  system  for 

11  nonofficial  use.  However  —  but  it's  still  authorized  such  as  NWR 

12  support  or  e-mail  to  a  —  to  a  —  to  a  civilian  web-mail  or  something 

13  like  that. 

14  Q.  What  does  AR  paragraph  1—5 ( j )  prohibit? 

15  A.  Sir,  1-5  (j)  prohibits  —  or  is  —  specifically  identifies 

16  prohibited  actions  and  functions  within  the  Army  associated  with  the 

17  use  of  information  systems  and  IA  principles. 

18  Q.  And  what  are  a  few  examples? 

19  A.  They  - 

20  ADC [CPT  TOOMAN] :  Your  Honor,  we're  going  to  object  again. 

21  PFC  Manning's  not  charged  with  violating  that  provision  of  AR  25-2. 

22  MJ:  Then  why  are  we  discussing  it? 
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ATC [CPT  von  ELTEN] :  Just  establishing  the  framework.  Your  Honor. 
It's  my  last  question. 

MJ:  All  right.  Go  ahead. 

A.  Your  question  again,  sir? 

Q.  A  few  examples  —  what  are  a  few  examples  of  violating  — 
that  —  of  activities  prohibited  1-5 ( j ) ? 

A.  So  those  violations  are  covered  in  the  regulation  in  bolded 
text  throughout  the  regulation  specifically.  Some  violations  would 
be  unauthorized  use  of  the  system,  installing  or  downloading  or 
accessing  information,  installing  or  downloading  software,  accessing 
information  which  is  outside  the  control  or  boundaries  of  authorized 
use,  failure  to  scan  systems  for  —  for  malicious  content,  uploading 
personnel  —  personnel  files  or  personal  content  that  is  not  DoD 
related. 

Q.  Let's  talk  a  little  bit  about  information  assurance 
training. 

A.  Sure. 

Q.  Are  you  familiar  with  information  assurance  training? 

A.  I  am,  sir. 

Q.  How  are  you  familiar  with  it? 

A.  Both  as  a  —  as  a  user,  I  am  required  by  the  same  policy  to 

take  training  every  year.  And  as  a  SME  for  IA  within  the  Army  I  have 
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1  contributed  to  some  of  the  content  associated  with  the  initial 

2  versions  of  the  information  assurance  training. 

3  Q.  What  policies  requires  IA  training? 

4  A.  The  AR  25-2  requires  information  assurance  training  on  an 

5  annual  basis.  DoD  also  requires,  as  part  of  their  policies,  that  all 

6  users  within  the  Department  of  Defense  conduct  information  assurance 

7  training  annually. 

8  Q.  How  does  a  user  complete  his  —  a  new  obligation  to 

9  complete  information  assurance  training? 

10  A.  The  —  both  the  Army  and  the  DoD  have  instituted  online  CBT 

11  based  —  Computer  Based  Training,  so  it's  accessible  web  —  through 

12  the  web  through  the  internet.  So  it's  very  easy  to  accomplish. 

13  Q.  What  does  it  take  to  accomplish  that? 

14  A.  Log  on  with  the  —  through  the  website,  go  through  the 

15  scenario-driven  computer  based  training.  You  have  a  certificate  at 

16  the  end  of  it  that  you  digitally  sign  or  print  it  out  and  then  sign 

17  and  upload. 

18  Q.  What  does  it  take  to  earn  that  certificate? 

19  A.  Completion  of  the  training,  sir.  So  you  have  to  answer  the 

20  10  questions  —  I  mean,  it's  10  questions  —  or  20  questions  —  I'm 

21  not  sure  what  it  is,  at  the  end  of  the  test.  And  then  you  obviously 

22  have  to  pass  or  you  have  to  do  it  again. 

23  Q.  How  long  has  this  training  been  required? 
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A.  The  training  within  the  Army  has  been  since  before  2009, 
but  —  when  DoD  instituted  the  Arm  —  the  DoD  level  training,  the 
Army  adopted  the  DoD  training  and  just  used  that  as  its  standard. 

Q.  What  work  did  you  do  in  developing  IA  training? 

A.  So  —  prior  to  the  DoD  integration  — 

ADC [CPT  TOOMAN] :  Your  Honor. 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Your  Honor,  we  object  on  relevance  and  we 

would  also  ask  the  judge  to  take  judicial  notice  of  DoD  IA  training 
as  I'm  sure  you've  completed  it  a  number  of  times. 

MJ:  Where  are  we  —  were  are  we  going  with  this? 

ATC [CPT  von  ELTEN] :  Ma'am,  the  United  States  is  offering  this 
for  evidence  of  PFC  Manning's  knowledge  because  he  completed  IA 
training,  and  we're  going  to  discuss  the  contents  of  the  training  he 
would  have  completed. 

MJ:  And  which  of  these  specifications  has  a  knowledge  element? 

ATC [CPT  von  ELTEN]:  Ma'am,  the  104  specification  requires 
knowledge.  He  did  complete  the  training,  ma'am. 

MJ:  Is  this  training  is  relevant  to  the  104  specification? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  All  right,  make  it  —  go  ahead,  but  make  it  not  —  make  it 

brief  on  this  portion,  okay?  Go  ahead. 
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ATC [CPT  von  ELTEN] :  Yes,  ma'am.  I'm  retrieving  Prosecution 
Exhibit  7  [retrieving  the  document  from  the  court  reporter] . 

MJ:  Overruled. 

[The  assistant  trial  counsel  handed  the  exhibit  to  the  witness.] 

Q.  Mr.  Weaver,  do  you  recognize  those  containers? 

A.  Yes,  sir.  These  are  two  DoD  information  assurance  IA 
training  CDs  published  by  DoD  and  downloadable.  It's  also  orderable 

—  order  —  you  can  order  it  through  the  DoD  for  use  locally  or  as 
needed  by  users.  So  this  is  also  an  acceptable  way  to  do  the 
training. 

Q.  What  versions  are  they? 

A.  2000  --  Version  7  and  Version  8. 

Q.  And  how  do  you  recognize  those? 

A.  Sir,  they're  identified  by  the  version  number  at  the  bottom 

—  on  the  corner  of  the  CDs. 

Q.  How  do  you  know  the  contents  of  the  CDs? 

A.  The  contents  of  the  CDs  are  a  —  a  —  basically  the  web 

pages  in  a  CD  format.  It  is  the  same  IA  training  that  was  applicable 
at  the  years  or  at  the  versions  these  were  published. 

Q.  Have  you  seen  those  CDs  used? 

A.  Yes,  sir,  I  have.  I  have  a  copy  of  my  own. 

Q.  But  those  specific  CDs? 

A.  The  Version  8,  yes,  sir. 
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ATC [CPT  von  ELTEN] :  Ma'am,  the  United  States  offers  —  it's 
already  been,  sorry. 

Q.  What  kind  of  threats  do  —  does  that  information  assurance 
cover  —  the  training? 

A.  Sir,  the  IA  training  —  if  you  do  the  IA  training,  it 
covers  a  multitude  of  issues.  One  of  them  being  user  training,  user 
password,  security,  security  of  classified  information,  some  phishing 

—  or  anti-phishing  or  phishing  threats,  general  threats  in 
particular  through  a  variety  of  different  methods  that  users  might  be 

—  might  be  suspect  to  or  receive  e-mail  threats,  viruses,  malware, 
and  so  forth. 

Q.  What  kind  of  outside  threats  are  identified  in  the 
training? 

A.  Specifically  —  some  of  the  outside  threats  would  be 
malicious  actors  trying  to  do  phishing  attacks  or  other  similar 
attempts  to  gain  access  networks  through  —  through  malware  or 
digital  e-mail  or  phishing  —  calling  you  up  on  the  telephone.  So 
both  physical  security  and  technical  security  or  IT  security. 

ATC [CPT  von  ELTEN]:  Retrieving  Prosecution  Exhibit  7.  Returning 
this  to  the  court  reporter. 

Q.  Let's  talk  about  some  of  those  IA  threats  you  identified. 
Let's  talk  a  little  bit  about  bad  content  in  particular. 

ATC  [CPT  von  ELTEN] :  Permission  to  publish.  Your  Honor? 
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MJ:  Go  ahead. 

ATC  [CPT  von  ELTEN] :  This  is  page  22,  Prosecution  Exhibit  93. 

Q.  Do  you  recognize  this,  Mr.  Weaver  [referring  to  the  image 
on  the  projection  screen] ? 

A.  Yes,  I  do,  sir. 

Q.  What  does  Paragraph  4-5  (a)  (3)  prohibit? 

A.  Sir,  4-5 (a) (3)  prohibits  the  modification  of  information 
system  or  the  software  —  to  use  it  for  —  in  any  manner  other  than 
its  intended  purpose  or  adding  user  --  user  configurable  or 
unauthorized  software  such  as  but  not  limited  to  instant  messaging, 
commercial  internet  chat,  collaborative  environments  where  you  allow 
your  system  to  be  used  by  somebody  else  —  and  those  —  and  those  are 
descriptive  in  nature  or  examples,  not  all  inclusive. 

Q.  What  is  the  purpose  of  this  prohibition? 

A.  Sir,  the  intent  of  this  —  this  prohibition  was  to  prevent 
—  clearly  identify  the  prohibition  of  users  without  proper  authority 
to  add  application  software  or  other  content  to  a  system  by  which  is 
not  accredited  to  processed. 

Q.  And  who  has  the  authority  to  make  those  changes? 

A.  Sir,  the  authorities  to  make  those  changes  would  be  an 
authorized  system  administer  who  has  been  given  the  responsibilities 
to  change  as  it's  now  —  or  a  that  system  for  compliance  to 
vulnerabilities  or  patching  as  it's  known  or  a  DAA;  Designating 
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Accrediting  Authority,  who  has  determined  the  —  the  appropriate 
software  that's  authorized  to  be  installed  on  a  network  or  on  a 
system  by  which  users  can  use  that  —  that  piece  of  application  or 
piece  of  software.  And  then  commander  obviously  has  some  of  that 
responsibility  as  well. 

Q.  What  kind  of  modifications  are  prohibited? 

A.  Sir,  there's  a  number  of  modifications  that  are  prohibited. 
Usually  anything  that  the  user  do  that  would  violate  the  integrity  of 
the  system  is  prohibited.  And  the  installation  of  unauthorized  or 
unaccredited  software  for  which  no  risk  analysis  has  been  done  or  no 
acceptance  of  that  risk  has  been  done,  that  would  be  prohibited. 
Sharing  the  information  or  sharing  your  computer  information  or  at 
the  time  user  ID  and  passwords  with  another  individual  would  be  a 
prohibited  action  as  well,  sir,  that's  just  some  examples. 

Q.  And  just  broadly,  what  is  the  process  for  adding  software? 

A.  For  a  —  a  —  for  a  user  or  for  a  system  - 

Q.  For  a  user. 

A.  So  for  a  user,  sir,  the  process  would  be  if  you've 
identified  a  need,  you  would  ask  your  IT  support  specialist,  whoever 
that  might  be,  your  system  or  network  administrator,  your  --  and  your 
supervisor,  justifying  the  requirement  that  you  have  a  requirement  to 
fulfill.  And  you  don't  necessarily  get  to  dictate  the  solution.  You 
dictate  or  you  ask  for  the  requirement  and  allow  the  system  network 
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administrators,  the  ID,  the  commander,  and  the  DAA  to  determine  the 
method  by  which  the  requirement  is  fulfilled.  So  users  don't  specify 
—  normally  don't  specify  a  specific  use  of  a  piece  of  software. 

They  can  make  a  recommendation,  but  it's  still  the  determination  of 
the  command. 

Q.  What  defines  a  limit  of  a  user's  authorization  to  use  a 
government  information  system? 

A.  The  limit  is  imposed  by  his  —  obviously  his  duty.  His 
responsibility  is  associated  with  why  he  gains  access  to  the  system 
or  has  limited  access  to  the  system  and/or  his  responsibilities 
associated  with  that  action,  or  maybe  part  of  his  job  and  requires 
access  to  the  information  technology  on  the  daily  occurrence  of  his 
mission. 

Q.  Who  determines  the  parameters  of  the  mission? 

A.  Commanders  establish  the  parameters  by  —  and  supervisors 
where  they  may  fall  in  —  establish  those  parameters. 

Q.  Whose  account  is  a  user  allowed  to  use? 

A.  A  user's  account,  sir,  is  only  authorized  to  be  used  by  the 

user . 

Q.  What  permission  levels  does  a  user  normally  receive? 

A.  Generally  permission  of  a  normal  user  is  basically  read 
access  or  ability  to  use  a  system  as  it  was  configured  with  whatever 
permissions  or  roles  that  the  system  has  or  use  it  they  use  it  to 
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like  —  the  applications  like  Microsoft  Office  ability  to  create  word 
files,  to  create  Excel  spreadsheets  and  so  forth.  So  he's  been  given 
or  she  has  been  given  those  roles  and  responsibilities  to  use  the 
technology  as  it  was  designed  or  as  it  was  provided. 

Q.  Let’s  talk  a  little  bit  about  insider  threats. 

A.  Yes,  sir. 

Q.  What  is  paragraph  AR  25  —  or  AR  25-2,  Paragraph  4-5 (a) (4) 

say? 

A.  So  the  —  this  paragraph  outlines  the  prohibition  by  normal 
users  or  those  not  authorized  to  conduct  this  activity  to  bypass  or 
circumvent  the  security  parameters  of  the  --  that’s  been  installed  or 
part  of  an  operations  or  part  of  the  design  of  the  system. 

Q.  How  does  a  user  bypass  those  mechanisms? 

A.  Traditionally  as  an  incident  he  would  have  to  or  she  would 
have  to  install  or  modify  the  system  in  some  way  in  order  to  allow 
them  to  elevate  the  privileges  on  that  computer  so  they  gain  access 
to  the  box  at  a  higher  level  or  privileged  level  or,  you  know, 
somebody  has  granted  them  unauthorized  access. 

Q.  What  are  a  couple  of  ways  a  user  could  bypass  those 
mechanisms? 

A.  So  there’s  a  number  of  ways.  One  would  be  obviously  to 
install  a  piece  of  software  or  application  or  coding  that  would 
change  the  authorization  level  of  his  system.  Another  way  would  be 
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to  find  applications  or  capabilities  that  would  elevate  his 
privileges  without  changing  the  access  control  process  and  enabling 
him  to  do  more  than  he  would  be  authorized  to  do.  Or  coerce  somebody 
to  change  it  for  him,  you  know,  as  a  friend  or  as  a  unauthorized 
action  on  the  part  of  the  system  or  network  administrator  to  grant 
him  elevated  privileges. 

Q.  What  effect  would  using  a  bootable  CD  have? 

A.  A  bootable  CD  could  have  numerous  effects.  It  depends  upon 
how  the  CD  was  written  or  crafted.  Obviously  could  quickly  change 
the  access  rights  and  controls  of  the  user;  giving  him  elevated 
privileges  of  the  box  is  one  thing. 

Q.  What  if  the  bootable  CD  used  a  different  type  of  operating 
software? 

A.  It's  still  feasible  to  gain  access  to  the  system  and  much 

so  in  the  sense  that  it  would  circumvent  the  security  controls  and 

processes  of  that  system  and  its  native  environment. 

Q.  Mr.  Weaver,  what  tools  can  be  automated  on  a  computer 
system? 

A.  What  tools  could  be  automated? 

Q.  Yes,  sir. 

A.  Pretty  much  anything  you  want  to  do  on  a  computer  system 
could  be  automated  if  you  had  the  right  skills  to  craft  the  software 
or  the  application  to  do  whatever  you  needed  to  do. 
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Q.  What  tools  can  a  user  add  to  automate  a  process? 

A.  Sir,  what  tools  can  a  user  add  to  automate  a  process 

surrounding  those  tools  by  which  he  has  access  to.  For  example 
Excel;  you  could  automate  the  extraction  or  the  publication  of 
content  from  a  spreadsheet,  for  example,  on  a  regular  basis,  or  other 
tools  that  might  be  on  those  boxes  that  allows  for  that  automation  to 
occur  in  an  automated  manner.  It  does  not  equate  to  his  ability  to 
install  applications  or  software  which  would  automate  those  tasks  for 
him  without  —  without  the  system  network  administrator  giving  that 
approval  or  DAA  giving  that  approval  to  do  that. 

Q.  Now,  Mr.  Weaver,  are  you  familiar  with  Wget? 

A.  I  am  vaguely  familiar,  yes,  sir. 

Q.  How  does  it  work? 

A.  As  I  understand  Wget  is  basically  an  application  that 
allows  you  to  download  files  or  do  entire  content  downloading  of  a 
website  and  upload  —  or  an  FTB  site  in  an  effort  to  gather  all  the 
information  from  that  site,  basically  it's  mirroring  a  site  — 
copying  the  whole  site  locally  to  a  —  to  a  local  drive  or  whatever 
it  might. 

Q.  When  is  a  user  allowed  to  add  Wget? 

A.  A  user  - 

ADC [CPT  TOOMAN] :  Your  Honor,  we'll  object  on  personal  knowledge 
of  Wget. 
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MJ:  What  are  you  objecting  about?  The  witness  just  said  he  was 

familiar  with  it. 

ADC [CPT  TOOMAN] :  Well,  like,  we  would  like  to  explore  how  the 
witness  is  familiar  with  Wget  and  the  extent  of  the  familiarity. 

MJ:  You  can  do  that  on  cross-examination. 

Q.  Mr.  Weaver,  what  does  Paragraph  4-17 (a)  state? 

A.  I  don't  have  that  one  memorized,  sir  -  4-17  - 

Q.  Is  there  anything  that  might  refresh  your  memory? 

A.  Just  the  lead-in  sentence,  sir. 

MJ:  Why  don't  you  publish  it. 

ATC [CPT  von  ELTEN] :  Okay. 

A.  Sorry,  I  don't  have  them  all  memorized.  I  used  to  but  not 
anymore . 

[The  assistant  trial  counsel  published  the  document  on  the  projection 
screen . ] 

A.  Sir,  your  question  again,  sir,  I'm  sorry. 

Q.  What  is  the  purpose  of  Paragraph  4-17 (a) ? 

ADC [CPT  TOOMAN]:  We'll  object  to  the  relevance.  Your  Honor. 
Again,  PFC  Manning  is  not  charged  with  violating  4-17. 

MJ:  Where  are  you  going  with  this? 

ATC [CPT  von  ELTEN]:  Ma'am,  going  with  this  that  the  user  of  the 
government  system  has  a  personal  responsibility  to  follow  the  rules 
and  this  is  an  example  of  the  rule. 
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MJ:  Are  we  going  to  go  through  every  paragraph? 

ATC [CPT  von  ELTEN] :  Ma'am,  this  is  the  last  paragraph  I'm  going 
to  go  through. 

MJ:  It  is? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  Okay.  Thank  you.  Keep  it  that  way. 

A.  So  to  answer  your  question,  sir,  this  paragraph  outlines 
the  responsibilities  associated  with  protecting  media  inserted  to  or 
retrieved  from  an  information  system,  specifically  any  information 
that  --  or  any  removable  media  or  CD  or  USB  is  inserted  into  and 
removed  from  a  classified  system  should  be  treated  as  such  until  such 
time  it  has  been  properly  cleared  by  the  appropriate  person  or 
personnel . 

Q.  How  is  —  does  personal  responsibility  affect 
implementation  of  AR  25-2? 

A.  The  users  are  fundamentally  the  base  for  the  execution  of 
information  assurance  through  personal  responsibilities  for  conduct 
in  —  of  security  of  information  in  information  systems  relies  upon 
the  user  to  do  the  right  thing  many  times.  Technology  is  advancing 
rapidly.  Policy  doesn't  always  keep  up  with  the  technology.  And  so 
with  the  guidance  of  the  user,  the  user  has  a  responsibility  that's 
entrusted  to  him  to  not  exceed  his  authorities,  not  exceed  their 
permissions,  and  then  to  protect  that  information  and  any  information 
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